client/web: switch to custom fork of gorilla/csrf

This fork removes the dependency on the html/template package, so we
should be able to enable the web client on mobile in the near future.

Updates #10261

Signed-off-by: Will Norris <will@tailscale.com>

Makefile

@@ -3,8 +3,6 @@ SYNO_ARCH ?= "amd64"
 SYNO_DSM ?= "7"
 TAGS ?= "latest"
 
-PLATFORM ?= "flyio" ## flyio==linux/amd64. Set to "" to build all platforms.
-
 vet: ## Run go vet
 	./tool/go vet ./...
 
@@ -90,7 +88,7 @@ publishdevimage: ## Build and publish tailscale image to location specified by $
 	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
 	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
 	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
-	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=client ./build_docker.sh
+	TAGS="${TAGS}" REPOS=${REPO} PUSH=true TARGET=client ./build_docker.sh
 
 publishdevoperator: ## Build and publish k8s-operator image to location specified by ${REPO}
 	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
@@ -98,7 +96,7 @@ publishdevoperator: ## Build and publish k8s-operator image to location specifie
 	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
 	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
 	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
-	TAGS="${TAGS}" REPOS=${REPO} PLATFORM=${PLATFORM} PUSH=true TARGET=operator ./build_docker.sh
+	TAGS="${TAGS}" REPOS=${REPO} PUSH=true TARGET=operator ./build_docker.sh
 
 help: ## Show this help
 	@echo "\nSpecify a command. The choices are:\n"

VERSION.txt

@@ -1 +1 @@
-1.58.2
+1.57.0

appc/appconnector.go

@@ -10,7 +10,6 @@
 package appc
 
 import (
-	"context"
 	"net/netip"
 	"slices"
 	"strings"
@@ -21,18 +20,14 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/views"
 	"tailscale.com/util/dnsname"
-	"tailscale.com/util/execqueue"
 )
 
 // RouteAdvertiser is an interface that allows the AppConnector to advertise
 // newly discovered routes that need to be served through the AppConnector.
 type RouteAdvertiser interface {
-	// AdvertiseRoute adds one or more route advertisements skipping any that
-	// are already advertised.
-	AdvertiseRoute(...netip.Prefix) error
-
-	// UnadvertiseRoute removes any matching route advertisements.
-	UnadvertiseRoute(...netip.Prefix) error
+	// AdvertiseRoute adds a new route advertisement if the route is not already
+	// being advertised.
+	AdvertiseRoute(netip.Prefix) error
 }
 
 // AppConnector is an implementation of an AppConnector that performs
@@ -50,19 +45,12 @@ type AppConnector struct {
 
 	// mu guards the fields that follow
 	mu sync.Mutex
-
 	// domains is a map of lower case domain names with no trailing dot, to a
 	// list of resolved IP addresses.
 	domains map[string][]netip.Addr
 
-	// controlRoutes is the list of routes that were last supplied by control.
-	controlRoutes []netip.Prefix
-
 	// wildcards is the list of domain strings that match subdomains.
 	wildcards []string
-
-	// queue provides ordering for update operations
-	queue execqueue.ExecQueue
 }
 
 // NewAppConnector creates a new AppConnector.
@@ -73,33 +61,11 @@ func NewAppConnector(logf logger.Logf, routeAdvertiser RouteAdvertiser) *AppConn
 	}
 }
 
-// UpdateDomainsAndRoutes starts an asynchronous update of the configuration
-// given the new domains and routes.
-func (e *AppConnector) UpdateDomainsAndRoutes(domains []string, routes []netip.Prefix) {
-	e.queue.Add(func() {
-		// Add the new routes first.
-		e.updateRoutes(routes)
-		e.updateDomains(domains)
-	})
-}
-
-// UpdateDomains asynchronously replaces the current set of configured domains
-// with the supplied set of domains. Domains must not contain a trailing dot,
-// and should be lower case. If the domain contains a leading '*' label it
-// matches all subdomains of a domain.
+// UpdateDomains replaces the current set of configured domains with the
+// supplied set of domains. Domains must not contain a trailing dot, and should
+// be lower case. If the domain contains a leading '*' label it matches all
+// subdomains of a domain.
 func (e *AppConnector) UpdateDomains(domains []string) {
-	e.queue.Add(func() {
-		e.updateDomains(domains)
-	})
-}
-
-// Wait waits for the currently scheduled asynchronous configuration changes to
-// complete.
-func (e *AppConnector) Wait(ctx context.Context) {
-	e.queue.Wait(ctx)
-}
-
-func (e *AppConnector) updateDomains(domains []string) {
 	e.mu.Lock()
 	defer e.mu.Unlock()
 
@@ -131,46 +97,6 @@ func (e *AppConnector) updateDomains(domains []string) {
 	e.logf("handling domains: %v and wildcards: %v", xmaps.Keys(e.domains), e.wildcards)
 }
 
-// updateRoutes merges the supplied routes into the currently configured routes. The routes supplied
-// by control for UpdateRoutes are supplemental to the routes discovered by DNS resolution, but are
-// also more often whole ranges. UpdateRoutes will remove any single address routes that are now
-// covered by new ranges.
-func (e *AppConnector) updateRoutes(routes []netip.Prefix) {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
-	// If there was no change since the last update, no work to do.
-	if slices.Equal(e.controlRoutes, routes) {
-		return
-	}
-
-	if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
-		e.logf("failed to advertise routes: %v: %v", routes, err)
-		return
-	}
-
-	var toRemove []netip.Prefix
-
-nextRoute:
-	for _, r := range routes {
-		for _, addr := range e.domains {
-			for _, a := range addr {
-				if r.Contains(a) && netip.PrefixFrom(a, a.BitLen()) != r {
-					pfx := netip.PrefixFrom(a, a.BitLen())
-					toRemove = append(toRemove, pfx)
-					continue nextRoute
-				}
-			}
-		}
-	}
-
-	if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
-		e.logf("failed to unadvertise routes: %v: %v", toRemove, err)
-	}
-
-	e.controlRoutes = routes
-}
-
 // Domains returns the currently configured domain list.
 func (e *AppConnector) Domains() views.Slice[string] {
 	e.mu.Lock()
@@ -206,7 +132,6 @@ func (e *AppConnector) ObserveDNSResponse(res []byte) {
 		return
 	}
 
-nextAnswer:
 	for {
 		h, err := p.AnswerHeader()
 		if err == dnsmessage.ErrSectionDone {
@@ -281,16 +206,6 @@ nextAnswer:
 		if slices.Contains(addrs, addr) {
 			continue
 		}
-		for _, route := range e.controlRoutes {
-			if route.Contains(addr) {
-				// record the new address associated with the domain for faster matching in subsequent
-				// requests and for diagnostic records.
-				e.mu.Lock()
-				e.domains[domain] = append(addrs, addr)
-				e.mu.Unlock()
-				continue nextAnswer
-			}
-		}
 		if err := e.routeAdvertiser.AdvertiseRoute(netip.PrefixFrom(addr, addr.BitLen())); err != nil {
 			e.logf("failed to advertise route for %s: %v: %v", domain, addr, err)
 			continue

appc/appconnector_test.go

@@ -4,7 +4,6 @@
 package appc
 
 import (
-	"context"
 	"net/netip"
 	"reflect"
 	"slices"
@@ -12,17 +11,12 @@ import (
 
 	xmaps "golang.org/x/exp/maps"
 	"golang.org/x/net/dns/dnsmessage"
-	"tailscale.com/appc/appctest"
-	"tailscale.com/util/mak"
 	"tailscale.com/util/must"
 )
 
 func TestUpdateDomains(t *testing.T) {
-	ctx := context.Background()
 	a := NewAppConnector(t.Logf, nil)
 	a.UpdateDomains([]string{"example.com"})
-
-	a.Wait(ctx)
 	if got, want := a.Domains().AsSlice(), []string{"example.com"}; !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
 	}
@@ -30,7 +24,6 @@ func TestUpdateDomains(t *testing.T) {
 	addr := netip.MustParseAddr("192.0.0.8")
 	a.domains["example.com"] = append(a.domains["example.com"], addr)
 	a.UpdateDomains([]string{"example.com"})
-	a.Wait(ctx)
 
 	if got, want := a.domains["example.com"], []netip.Addr{addr}; !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
@@ -38,66 +31,15 @@ func TestUpdateDomains(t *testing.T) {
 
 	// domains are explicitly downcased on set.
 	a.UpdateDomains([]string{"UP.EXAMPLE.COM"})
-	a.Wait(ctx)
 	if got, want := xmaps.Keys(a.domains), []string{"up.example.com"}; !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
 	}
 }
 
-func TestUpdateRoutes(t *testing.T) {
-	ctx := context.Background()
-	rc := &appctest.RouteCollector{}
-	a := NewAppConnector(t.Logf, rc)
-	a.updateDomains([]string{"*.example.com"})
-
-	// This route should be collapsed into the range
-	a.ObserveDNSResponse(dnsResponse("a.example.com.", "192.0.2.1"))
-	a.Wait(ctx)
-
-	if !slices.Equal(rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}) {
-		t.Fatalf("got %v, want %v", rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
-	}
-
-	// This route should not be collapsed or removed
-	a.ObserveDNSResponse(dnsResponse("b.example.com.", "192.0.0.1"))
-	a.Wait(ctx)
-
-	routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24"), netip.MustParsePrefix("192.0.0.1/32")}
-	a.updateRoutes(routes)
-
-	slices.SortFunc(rc.Routes(), prefixCompare)
-	rc.SetRoutes(slices.Compact(rc.Routes()))
-	slices.SortFunc(routes, prefixCompare)
-
-	// Ensure that the non-matching /32 is preserved, even though it's in the domains table.
-	if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
-		t.Errorf("added routes: got %v, want %v", rc.Routes(), routes)
-	}
-
-	// Ensure that the contained /32 is removed, replaced by the /24.
-	wantRemoved := []netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")}
-	if !slices.EqualFunc(rc.RemovedRoutes(), wantRemoved, prefixEqual) {
-		t.Fatalf("unexpected removed routes: %v", rc.RemovedRoutes())
-	}
-}
-
-func TestUpdateRoutesUnadvertisesContainedRoutes(t *testing.T) {
-	rc := &appctest.RouteCollector{}
-	a := NewAppConnector(t.Logf, rc)
-	mak.Set(&a.domains, "example.com", []netip.Addr{netip.MustParseAddr("192.0.2.1")})
-	rc.SetRoutes([]netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
-	routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24")}
-	a.updateRoutes(routes)
-
-	if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
-		t.Fatalf("got %v, want %v", rc.Routes(), routes)
-	}
-}
-
 func TestDomainRoutes(t *testing.T) {
-	rc := &appctest.RouteCollector{}
+	rc := &routeCollector{}
 	a := NewAppConnector(t.Logf, rc)
-	a.updateDomains([]string{"example.com"})
+	a.UpdateDomains([]string{"example.com"})
 	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
 
 	want := map[string][]netip.Addr{
@@ -110,63 +52,51 @@ func TestDomainRoutes(t *testing.T) {
 }
 
 func TestObserveDNSResponse(t *testing.T) {
-	rc := &appctest.RouteCollector{}
+	rc := &routeCollector{}
 	a := NewAppConnector(t.Logf, rc)
 
 	// a has no domains configured, so it should not advertise any routes
 	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
-	if got, want := rc.Routes(), ([]netip.Prefix)(nil); !slices.Equal(got, want) {
+	if got, want := rc.routes, ([]netip.Prefix)(nil); !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
 	}
 
 	wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
 
-	a.updateDomains([]string{"example.com"})
+	a.UpdateDomains([]string{"example.com"})
 	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
-	if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
+	if got, want := rc.routes, wantRoutes; !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
 	}
 
 	wantRoutes = append(wantRoutes, netip.MustParsePrefix("2001:db8::1/128"))
 
 	a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
-	if got, want := rc.Routes(), wantRoutes; !slices.Equal(got, want) {
+	if got, want := rc.routes, wantRoutes; !slices.Equal(got, want) {
 		t.Errorf("got %v; want %v", got, want)
 	}
 
 	// don't re-advertise routes that have already been advertised
 	a.ObserveDNSResponse(dnsResponse("example.com.", "2001:db8::1"))
-	if !slices.Equal(rc.Routes(), wantRoutes) {
-		t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
-	}
-
-	// don't advertise addresses that are already in a control provided route
-	pfx := netip.MustParsePrefix("192.0.2.0/24")
-	a.updateRoutes([]netip.Prefix{pfx})
-	wantRoutes = append(wantRoutes, pfx)
-	a.ObserveDNSResponse(dnsResponse("example.com.", "192.0.2.1"))
-	if !slices.Equal(rc.Routes(), wantRoutes) {
-		t.Errorf("rc.Routes(): got %v; want %v", rc.Routes(), wantRoutes)
-	}
-	if !slices.Contains(a.domains["example.com"], netip.MustParseAddr("192.0.2.1")) {
-		t.Errorf("missing %v from %v", "192.0.2.1", a.domains["exmaple.com"])
+	if !slices.Equal(rc.routes, wantRoutes) {
+		t.Errorf("got %v; want %v", rc.routes, wantRoutes)
 	}
 }
 
 func TestWildcardDomains(t *testing.T) {
-	rc := &appctest.RouteCollector{}
+	rc := &routeCollector{}
 	a := NewAppConnector(t.Logf, rc)
 
-	a.updateDomains([]string{"*.example.com"})
+	a.UpdateDomains([]string{"*.example.com"})
 	a.ObserveDNSResponse(dnsResponse("foo.example.com.", "192.0.0.8"))
-	if got, want := rc.Routes(), []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}; !slices.Equal(got, want) {
+	if got, want := rc.routes, []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}; !slices.Equal(got, want) {
 		t.Errorf("routes: got %v; want %v", got, want)
 	}
 	if got, want := a.wildcards, []string{"example.com"}; !slices.Equal(got, want) {
 		t.Errorf("wildcards: got %v; want %v", got, want)
 	}
 
-	a.updateDomains([]string{"*.example.com", "example.com"})
+	a.UpdateDomains([]string{"*.example.com", "example.com"})
 	if _, ok := a.domains["foo.example.com"]; !ok {
 		t.Errorf("expected foo.example.com to be preserved in domains due to wildcard")
 	}
@@ -175,7 +105,7 @@ func TestWildcardDomains(t *testing.T) {
 	}
 
 	// There was an early regression where the wildcard domain was added repeatedly, this guards against that.
-	a.updateDomains([]string{"*.example.com", "example.com"})
+	a.UpdateDomains([]string{"*.example.com", "example.com"})
 	if len(a.wildcards) != 1 {
 		t.Errorf("expected only one wildcard domain, got %v", a.wildcards)
 	}
@@ -218,13 +148,15 @@ func dnsResponse(domain, address string) []byte {
 	return must.Get(b.Finish())
 }
 
-func prefixEqual(a, b netip.Prefix) bool {
-	return a == b
+// routeCollector is a test helper that collects the list of routes advertised
+type routeCollector struct {
+	routes []netip.Prefix
 }
 
-func prefixCompare(a, b netip.Prefix) int {
-	if a.Addr().Compare(b.Addr()) == 0 {
-		return a.Bits() - b.Bits()
-	}
-	return a.Addr().Compare(b.Addr())
+// routeCollector implements RouteAdvertiser
+var _ RouteAdvertiser = (*routeCollector)(nil)
+
+func (rc *routeCollector) AdvertiseRoute(pfx netip.Prefix) error {
+	rc.routes = append(rc.routes, pfx)
+	return nil
 }

appc/appctest/appctest.go

@@ -1,49 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package appctest
-
-import (
-	"net/netip"
-	"slices"
-)
-
-// RouteCollector is a test helper that collects the list of routes advertised
-type RouteCollector struct {
-	routes        []netip.Prefix
-	removedRoutes []netip.Prefix
-}
-
-func (rc *RouteCollector) AdvertiseRoute(pfx ...netip.Prefix) error {
-	rc.routes = append(rc.routes, pfx...)
-	return nil
-}
-
-func (rc *RouteCollector) UnadvertiseRoute(toRemove ...netip.Prefix) error {
-	routes := rc.routes
-	rc.routes = rc.routes[:0]
-	for _, r := range routes {
-		if !slices.Contains(toRemove, r) {
-			rc.routes = append(rc.routes, r)
-		} else {
-			rc.removedRoutes = append(rc.removedRoutes, r)
-		}
-	}
-	return nil
-}
-
-// RemovedRoutes returns the list of routes that were removed.
-func (rc *RouteCollector) RemovedRoutes() []netip.Prefix {
-	return rc.removedRoutes
-}
-
-// Routes returns the ordered list of routes that were added, including
-// possible duplicates.
-func (rc *RouteCollector) Routes() []netip.Prefix {
-	return rc.routes
-}
-
-func (rc *RouteCollector) SetRoutes(routes []netip.Prefix) error {
-	rc.routes = routes
-	return nil
-}

build_docker.sh

@@ -32,7 +32,6 @@ PUSH="${PUSH:-false}"
 TARGET="${TARGET:-${DEFAULT_TARGET}}"
 TAGS="${TAGS:-${DEFAULT_TAGS}}"
 BASE="${BASE:-${DEFAULT_BASE}}"
-PLATFORM="${PLATFORM:-}" # default to all platforms
 
 case "$TARGET" in
   client)
@@ -51,7 +50,6 @@ case "$TARGET" in
       --tags="${TAGS}" \
       --repos="${REPOS}" \
       --push="${PUSH}" \
-      --target="${PLATFORM}" \
       /usr/local/bin/containerboot
     ;;
   operator)
@@ -67,7 +65,6 @@ case "$TARGET" in
       --tags="${TAGS}" \
       --repos="${REPOS}" \
       --push="${PUSH}" \
-      --target="${PLATFORM}" \
       /usr/local/bin/operator
     ;;
   *)

client/web/auth.go

@@ -8,7 +8,6 @@ import (
 	"crypto/rand"
 	"encoding/base64"
 	"errors"
-	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
@@ -233,55 +232,3 @@ func (s *Server) newSessionID() (string, error) {
 	}
 	return "", errors.New("too many collisions generating new session; please refresh page")
 }
-
-type peerCapabilities map[capFeature]bool // value is true if the peer can edit the given feature
-
-// canEdit is true if the peerCapabilities grant edit access
-// to the given feature.
-func (p peerCapabilities) canEdit(feature capFeature) bool {
-	if p == nil {
-		return false
-	}
-	if p[capFeatureAll] {
-		return true
-	}
-	return p[feature]
-}
-
-type capFeature string
-
-const (
-	// The following values should not be edited.
-	// New caps can be added, but existing ones should not be changed,
-	// as these exact values are used by users in tailnet policy files.
-
-	capFeatureAll      capFeature = "*"        // grants peer management of all features
-	capFeatureFunnel   capFeature = "funnel"   // grants peer serve/funnel management
-	capFeatureSSH      capFeature = "ssh"      // grants peer SSH server management
-	capFeatureSubnet   capFeature = "subnet"   // grants peer subnet routes management
-	capFeatureExitNode capFeature = "exitnode" // grants peer ability to advertise-as and use exit nodes
-	capFeatureAccount  capFeature = "account"  // grants peer ability to turn on auto updates and log out of node
-)
-
-type capRule struct {
-	CanEdit []string `json:"canEdit,omitempty"` // list of features peer is allowed to edit
-}
-
-// toPeerCapabilities parses out the web ui capabilities from the
-// given whois response.
-func toPeerCapabilities(whois *apitype.WhoIsResponse) (peerCapabilities, error) {
-	caps := peerCapabilities{}
-	if whois == nil {
-		return caps, nil
-	}
-	rules, err := tailcfg.UnmarshalCapJSON[capRule](whois.CapMap, tailcfg.PeerCapabilityWebUI)
-	if err != nil {
-		return nil, fmt.Errorf("failed to unmarshal capability: %v", err)
-	}
-	for _, c := range rules {
-		for _, f := range c.CanEdit {
-			caps[capFeature(strings.ToLower(f))] = true
-		}
-	}
-	return caps, nil
-}

client/web/src/components/login-toggle.tsx

@@ -95,16 +95,9 @@ function LoginPopoverContent({
   const [canConnectOverTS, setCanConnectOverTS] = useState<boolean>(false)
   const [isRunningCheck, setIsRunningCheck] = useState<boolean>(false)
 
-  // Whether the current page is loaded over HTTPS.
-  // If it is, then the connectivity check to the management client
-  // will fail with a mixed-content error.
-  const isHTTPS = window.location.protocol === "https:"
-
   const checkTSConnection = useCallback(() => {
-    if (auth.viewerIdentity || isHTTPS) {
-      // Skip the connectivity check if we either already know we're connected over Tailscale,
-      // or know the connectivity check will fail because the current page is loaded over HTTPS.
-      setCanConnectOverTS(true)
+    if (auth.viewerIdentity) {
+      setCanConnectOverTS(true) // already connected over ts
       return
     }
     // Otherwise, test connection to the ts IP.
@@ -118,7 +111,7 @@ function LoginPopoverContent({
         setIsRunningCheck(false)
       })
       .catch(() => setIsRunningCheck(false))
-  }, [auth.viewerIdentity, isRunningCheck, node.IPv4, isHTTPS])
+  }, [auth.viewerIdentity, isRunningCheck, node.IPv4])
 
   /**
    * Checking connection for first time on page load.
@@ -200,14 +193,6 @@ function LoginPopoverContent({
                     You can see most of this device's details. To make changes,
                     you need to sign in.
                   </p>
-                  {isHTTPS && (
-                    // we don't know if the user can connect over TS, so
-                    // provide extra tips in case they have trouble.
-                    <p className="text-gray-500 text-xs font-semibold pt-2">
-                      Make sure you are connected to your tailnet, and that your
-                      policy file allows access.
-                    </p>
-                  )}
                   <SignInButton auth={auth} onClick={handleSignInClick} />
                 </>
               )}

client/web/web.go

@@ -22,7 +22,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/gorilla/csrf"
+	"github.com/tailscale/csrf"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/clientupdate"
@@ -450,11 +450,10 @@ type authResponse struct {
 // viewerIdentity is the Tailscale identity of the source node
 // connected to this web client.
 type viewerIdentity struct {
-	LoginName     string           `json:"loginName"`
-	NodeName      string           `json:"nodeName"`
-	NodeIP        string           `json:"nodeIP"`
-	ProfilePicURL string           `json:"profilePicUrl,omitempty"`
-	Capabilities  peerCapabilities `json:"capabilities"` // features peer is allowed to edit
+	LoginName     string `json:"loginName"`
+	NodeName      string `json:"nodeName"`
+	NodeIP        string `json:"nodeIP"`
+	ProfilePicURL string `json:"profilePicUrl,omitempty"`
 }
 
 // serverAPIAuth handles requests to the /api/auth endpoint
@@ -465,16 +464,10 @@ func (s *Server) serveAPIAuth(w http.ResponseWriter, r *http.Request) {
 	session, whois, status, sErr := s.getSession(r)
 
 	if whois != nil {
-		caps, err := toPeerCapabilities(whois)
-		if err != nil {
-			http.Error(w, sErr.Error(), http.StatusInternalServerError)
-			return
-		}
 		resp.ViewerIdentity = &viewerIdentity{
 			LoginName:     whois.UserProfile.LoginName,
 			NodeName:      whois.Node.Name,
 			ProfilePicURL: whois.UserProfile.ProfilePicURL,
-			Capabilities:  caps,
 		}
 		if addrs := whois.Node.Addresses; len(addrs) > 0 {
 			resp.ViewerIdentity.NodeIP = addrs[0].Addr().String()

client/web/web_test.go

@@ -450,7 +450,6 @@ func TestServeAuth(t *testing.T) {
 		NodeName:      remoteNode.Node.Name,
 		NodeIP:        remoteIP,
 		ProfilePicURL: user.ProfilePicURL,
-		Capabilities:  peerCapabilities{},
 	}
 
 	testControlURL := &defaultControlURL
@@ -1098,163 +1097,6 @@ func TestRequireTailscaleIP(t *testing.T) {
 	}
 }
 
-func TestPeerCapabilities(t *testing.T) {
-	// Testing web.toPeerCapabilities
-	toPeerCapsTests := []struct {
-		name     string
-		whois    *apitype.WhoIsResponse
-		wantCaps peerCapabilities
-	}{
-		{
-			name:     "empty-whois",
-			whois:    nil,
-			wantCaps: peerCapabilities{},
-		},
-		{
-			name: "no-webui-caps",
-			whois: &apitype.WhoIsResponse{
-				CapMap: tailcfg.PeerCapMap{
-					tailcfg.PeerCapabilityDebugPeer: []tailcfg.RawMessage{},
-				},
-			},
-			wantCaps: peerCapabilities{},
-		},
-		{
-			name: "one-webui-cap",
-			whois: &apitype.WhoIsResponse{
-				CapMap: tailcfg.PeerCapMap{
-					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"ssh\",\"subnet\"]}",
-					},
-				},
-			},
-			wantCaps: peerCapabilities{
-				capFeatureSSH:    true,
-				capFeatureSubnet: true,
-			},
-		},
-		{
-			name: "multiple-webui-cap",
-			whois: &apitype.WhoIsResponse{
-				CapMap: tailcfg.PeerCapMap{
-					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"ssh\",\"subnet\"]}",
-						"{\"canEdit\":[\"subnet\",\"exitnode\",\"*\"]}",
-					},
-				},
-			},
-			wantCaps: peerCapabilities{
-				capFeatureSSH:      true,
-				capFeatureSubnet:   true,
-				capFeatureExitNode: true,
-				capFeatureAll:      true,
-			},
-		},
-		{
-			name: "case=insensitive-caps",
-			whois: &apitype.WhoIsResponse{
-				CapMap: tailcfg.PeerCapMap{
-					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"SSH\",\"sUBnet\"]}",
-					},
-				},
-			},
-			wantCaps: peerCapabilities{
-				capFeatureSSH:    true,
-				capFeatureSubnet: true,
-			},
-		},
-		{
-			name: "random-canEdit-contents-dont-error",
-			whois: &apitype.WhoIsResponse{
-				CapMap: tailcfg.PeerCapMap{
-					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canEdit\":[\"unknown-feature\"]}",
-					},
-				},
-			},
-			wantCaps: peerCapabilities{
-				"unknown-feature": true,
-			},
-		},
-		{
-			name: "no-canEdit-section",
-			whois: &apitype.WhoIsResponse{
-				CapMap: tailcfg.PeerCapMap{
-					tailcfg.PeerCapabilityWebUI: []tailcfg.RawMessage{
-						"{\"canDoSomething\":[\"*\"]}",
-					},
-				},
-			},
-			wantCaps: peerCapabilities{},
-		},
-	}
-	for _, tt := range toPeerCapsTests {
-		t.Run("toPeerCapabilities-"+tt.name, func(t *testing.T) {
-			got, err := toPeerCapabilities(tt.whois)
-			if err != nil {
-				t.Fatalf("unexpected: %v", err)
-			}
-			if diff := cmp.Diff(got, tt.wantCaps); diff != "" {
-				t.Errorf("wrong caps; (-got+want):%v", diff)
-			}
-		})
-	}
-
-	// Testing web.peerCapabilities.canEdit
-	canEditTests := []struct {
-		name        string
-		caps        peerCapabilities
-		wantCanEdit map[capFeature]bool
-	}{
-		{
-			name: "empty-caps",
-			caps: nil,
-			wantCanEdit: map[capFeature]bool{
-				capFeatureAll:      false,
-				capFeatureFunnel:   false,
-				capFeatureSSH:      false,
-				capFeatureSubnet:   false,
-				capFeatureExitNode: false,
-				capFeatureAccount:  false,
-			},
-		},
-		{
-			name: "some-caps",
-			caps: peerCapabilities{capFeatureSSH: true, capFeatureAccount: true},
-			wantCanEdit: map[capFeature]bool{
-				capFeatureAll:      false,
-				capFeatureFunnel:   false,
-				capFeatureSSH:      true,
-				capFeatureSubnet:   false,
-				capFeatureExitNode: false,
-				capFeatureAccount:  true,
-			},
-		},
-		{
-			name: "wildcard-in-caps",
-			caps: peerCapabilities{capFeatureAll: true, capFeatureAccount: true},
-			wantCanEdit: map[capFeature]bool{
-				capFeatureAll:      true,
-				capFeatureFunnel:   true,
-				capFeatureSSH:      true,
-				capFeatureSubnet:   true,
-				capFeatureExitNode: true,
-				capFeatureAccount:  true,
-			},
-		},
-	}
-	for _, tt := range canEditTests {
-		t.Run("canEdit-"+tt.name, func(t *testing.T) {
-			for f, want := range tt.wantCanEdit {
-				if got := tt.caps.canEdit(f); got != want {
-					t.Errorf("wrong canEdit(%s); got=%v, want=%v", f, got, want)
-				}
-			}
-		})
-	}
-}
-
 var (
 	defaultControlURL   = "https://controlplane.tailscale.com"
 	testAuthPath        = "/a/12345"

cmd/derper/depaware.txt

@@ -142,7 +142,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
    W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
         tailscale.com/util/cmpx                                      from tailscale.com/cmd/derper+
-        tailscale.com/util/ctxkey                                    from tailscale.com/tsweb+
    L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
         tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
         tailscale.com/util/httpm                                     from tailscale.com/client/tailscale

cmd/k8s-operator/deploy/chart/templates/deployment.yaml

@@ -59,6 +59,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+            - name: ENABLE_CONNECTOR
+              value: "{{ .Values.enableConnector }}"
             - name: CLIENT_ID_FILE
               value: /oauth/client_id
             - name: CLIENT_SECRET_FILE

cmd/k8s-operator/deploy/chart/templates/ingressclass.yaml

@@ -1,8 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
-  name: tailscale # class name currently can not be changed
-  annotations: {} # we do not support default IngressClass annotation https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class
-spec:
-  controller: tailscale.com/ts-ingress # controller name currently can not be changed
-  # parameters: {} # currently no parameters are supported

cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml

@@ -18,9 +18,6 @@ rules:
 - apiGroups: ["networking.k8s.io"]
   resources: ["ingresses", "ingresses/status"]
   verbs: ["*"]
-- apiGroups: ["networking.k8s.io"]
-  resources: ["ingressclasses"]
-  verbs: ["get", "list", "watch"]
 - apiGroups: ["tailscale.com"]
   resources: ["connectors", "connectors/status"]
   verbs: ["get", "list", "watch", "update"]

cmd/k8s-operator/deploy/chart/values.yaml

@@ -8,11 +8,11 @@ oauth: {}
   # clientId: ""
   # clientSecret: ""
 
-# installCRDs determines whether tailscale.com CRDs should be installed as part
-# of chart installation. We do not use Helm's CRD installation mechanism as that
-# does not allow for upgrading CRDs.
-# https://helm.sh/docs/chart_best_practices/custom_resource_definitions/
-installCRDs: "true"
+# enableConnector determines whether the operator should reconcile
+# connector.tailscale.com custom resources. If set to true you have to install
+# connector CRD in a separate step.
+# You can do so by running 'kubectl apply -f ./cmd/k8s-operator/deploy/crds'.
+enableConnector: "false"
 
 operatorConfig:
   image:

cmd/k8s-operator/deploy/manifests/operator.yaml

@@ -27,132 +27,6 @@ metadata:
     name: proxies
     namespace: tailscale
 ---
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-    annotations:
-        controller-gen.kubebuilder.io/version: v0.13.0
-    name: connectors.tailscale.com
-spec:
-    group: tailscale.com
-    names:
-        kind: Connector
-        listKind: ConnectorList
-        plural: connectors
-        shortNames:
-            - cn
-        singular: connector
-    scope: Cluster
-    versions:
-        - additionalPrinterColumns:
-            - description: CIDR ranges exposed to tailnet by a subnet router defined via this Connector instance.
-              jsonPath: .status.subnetRoutes
-              name: SubnetRoutes
-              type: string
-            - description: Whether this Connector instance defines an exit node.
-              jsonPath: .status.isExitNode
-              name: IsExitNode
-              type: string
-            - description: Status of the deployed Connector resources.
-              jsonPath: .status.conditions[?(@.type == "ConnectorReady")].reason
-              name: Status
-              type: string
-          name: v1alpha1
-          schema:
-            openAPIV3Schema:
-                properties:
-                    apiVersion:
-                        description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-                        type: string
-                    kind:
-                        description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                        type: string
-                    metadata:
-                        type: object
-                    spec:
-                        description: ConnectorSpec describes the desired Tailscale component.
-                        properties:
-                            exitNode:
-                                description: ExitNode defines whether the Connector node should act as a Tailscale exit node. Defaults to false. https://tailscale.com/kb/1103/exit-nodes
-                                type: boolean
-                            hostname:
-                                description: Hostname is the tailnet hostname that should be assigned to the Connector node. If unset, hostname defaults to <connector name>-connector. Hostname can contain lower case letters, numbers and dashes, it must not start or end with a dash and must be between 2 and 63 characters long.
-                                pattern: ^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$
-                                type: string
-                            subnetRouter:
-                                description: SubnetRouter defines subnet routes that the Connector node should expose to tailnet. If unset, none are exposed. https://tailscale.com/kb/1019/subnets/
-                                properties:
-                                    advertiseRoutes:
-                                        description: AdvertiseRoutes refer to CIDRs that the subnet router should make available. Route values must be strings that represent a valid IPv4 or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes. https://tailscale.com/kb/1201/4via6-subnets/
-                                        items:
-                                            format: cidr
-                                            type: string
-                                        minItems: 1
-                                        type: array
-                                required:
-                                    - advertiseRoutes
-                                type: object
-                            tags:
-                                description: Tags that the Tailscale node will be tagged with. Defaults to [tag:k8s]. To autoapprove the subnet routes or exit node defined by a Connector, you can configure Tailscale ACLs to give these tags the necessary permissions. See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes. If you specify custom tags here, you must also make the operator an owner of these tags. See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator. Tags cannot be changed once a Connector node has been created. Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.
-                                items:
-                                    pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$
-                                    type: string
-                                type: array
-                        type: object
-                        x-kubernetes-validations:
-                            - message: A Connector needs to be either an exit node or a subnet router, or both.
-                              rule: has(self.subnetRouter) || self.exitNode == true
-                    status:
-                        description: ConnectorStatus describes the status of the Connector. This is set and managed by the Tailscale operator.
-                        properties:
-                            conditions:
-                                description: List of status conditions to indicate the status of the Connector. Known condition types are `ConnectorReady`.
-                                items:
-                                    description: ConnectorCondition contains condition information for a Connector.
-                                    properties:
-                                        lastTransitionTime:
-                                            description: LastTransitionTime is the timestamp corresponding to the last status change of this condition.
-                                            format: date-time
-                                            type: string
-                                        message:
-                                            description: Message is a human readable description of the details of the last transition, complementing reason.
-                                            type: string
-                                        observedGeneration:
-                                            description: If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the Connector.
-                                            format: int64
-                                            type: integer
-                                        reason:
-                                            description: Reason is a brief machine readable explanation for the condition's last transition.
-                                            type: string
-                                        status:
-                                            description: Status of the condition, one of ('True', 'False', 'Unknown').
-                                            type: string
-                                        type:
-                                            description: Type of the condition, known values are (`SubnetRouterReady`).
-                                            type: string
-                                    required:
-                                        - status
-                                        - type
-                                    type: object
-                                type: array
-                                x-kubernetes-list-map-keys:
-                                    - type
-                                x-kubernetes-list-type: map
-                            isExitNode:
-                                description: IsExitNode is set to true if the Connector acts as an exit node.
-                                type: boolean
-                            subnetRoutes:
-                                description: SubnetRoutes are the routes currently exposed to tailnet via this Connector instance.
-                                type: string
-                        type: object
-                required:
-                    - spec
-                type: object
-          served: true
-          storage: true
-          subresources:
-            status: {}
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -173,14 +47,6 @@ rules:
         - ingresses/status
       verbs:
         - '*'
-    - apiGroups:
-        - networking.k8s.io
-      resources:
-        - ingressclasses
-      verbs:
-        - get
-        - list
-        - watch
     - apiGroups:
         - tailscale.com
       resources:
@@ -294,6 +160,8 @@ spec:
                       valueFrom:
                         fieldRef:
                             fieldPath: metadata.namespace
+                    - name: ENABLE_CONNECTOR
+                      value: "false"
                     - name: CLIENT_ID_FILE
                       value: /oauth/client_id
                     - name: CLIENT_SECRET_FILE
@@ -320,11 +188,3 @@ spec:
                 - name: oauth
                   secret:
                     secretName: operator-oauth
----
-apiVersion: networking.k8s.io/v1
-kind: IngressClass
-metadata:
-    annotations: {}
-    name: tailscale
-spec:
-    controller: tailscale.com/ts-ingress

cmd/k8s-operator/generate/main.go

@@ -18,49 +18,15 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
-const (
-	operatorDeploymentFilesPath = "cmd/k8s-operator/deploy"
-	crdPath                     = operatorDeploymentFilesPath + "/crds/tailscale.com_connectors.yaml"
-	helmTemplatesPath           = operatorDeploymentFilesPath + "/chart/templates"
-	crdTemplatePath             = helmTemplatesPath + "/connectors.yaml"
-
-	helmConditionalStart = "{{ if .Values.installCRDs -}}\n"
-	helmConditionalEnd   = "{{- end -}}"
-)
-
 func main() {
-	if len(os.Args) < 2 {
-		log.Fatalf("usage ./generate [staticmanifests|helmcrd]")
-	}
 	repoRoot := "../../"
-	switch os.Args[1] {
-	case "helmcrd": // insert CRD to Helm templates behind a installCRDs=true conditional check
-		log.Print("Adding Connector CRD to Helm templates")
-		if err := generate("./"); err != nil {
-			log.Fatalf("error adding Connector CRD to Helm templates: %v", err)
-		}
-		return
-	case "staticmanifests": // generate static manifests from Helm templates (including the CRD)
-	default:
-		log.Fatalf("unknown option %s, known options are 'staticmanifests', 'helmcrd'", os.Args[1])
-	}
-	log.Printf("Inserting CRD into the Helm templates")
-	if err := generate(repoRoot); err != nil {
-		log.Fatalf("error adding Connector CRD to Helm templates: %v", err)
-	}
-	defer func() {
-		if err := cleanup(repoRoot); err != nil {
-			log.Fatalf("error cleaning up generated resources")
-		}
-	}()
-	log.Print("Templating Helm chart contents")
-	helmTmplCmd := exec.Command("./tool/helm", "template", "operator", "./cmd/k8s-operator/deploy/chart",
+	cmd := exec.Command("./tool/helm", "template", "operator", "./cmd/k8s-operator/deploy/chart",
 		"--namespace=tailscale")
-	helmTmplCmd.Dir = repoRoot
+	cmd.Dir = repoRoot
 	var out bytes.Buffer
-	helmTmplCmd.Stdout = &out
-	helmTmplCmd.Stderr = os.Stderr
-	if err := helmTmplCmd.Run(); err != nil {
+	cmd.Stdout = &out
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
 		log.Fatalf("error templating helm manifests: %v", err)
 	}
 
@@ -88,6 +54,7 @@ func main() {
 		if err != nil {
 			log.Fatalf("failed read from input data: %v", err)
 		}
+
 		bytes, err := yaml.Marshal(document)
 		if err != nil {
 			log.Fatalf("failed to marshal YAML document: %v", err)
@@ -105,35 +72,3 @@ func main() {
 		log.Fatalf("error writing new file: %v", err)
 	}
 }
-
-func generate(baseDir string) error {
-	log.Print("Placing Connector CRD into Helm templates..")
-	chartBytes, err := os.ReadFile(filepath.Join(baseDir, crdPath))
-	if err != nil {
-		return fmt.Errorf("error reading CRD contents: %w", err)
-	}
-	// Place a new temporary Helm template file with the templated CRD
-	// contents into Helm templates.
-	file, err := os.Create(filepath.Join(baseDir, crdTemplatePath))
-	if err != nil {
-		return fmt.Errorf("error creating CRD template file: %w", err)
-	}
-	if _, err := file.Write([]byte(helmConditionalStart)); err != nil {
-		return fmt.Errorf("error writing helm if statement start: %w", err)
-	}
-	if _, err := file.Write(chartBytes); err != nil {
-		return fmt.Errorf("error writing chart bytes: %w", err)
-	}
-	if _, err := file.Write([]byte(helmConditionalEnd)); err != nil {
-		return fmt.Errorf("error writing helm if-statement end: %w", err)
-	}
-	return nil
-}
-
-func cleanup(baseDir string) error {
-	log.Print("Cleaning up CRD from Helm templates")
-	if err := os.Remove(filepath.Join(baseDir, crdTemplatePath)); err != nil && !os.IsNotExist(err) {
-		return fmt.Errorf("error cleaning up CRD template: %w", err)
-	}
-	return nil
-}

cmd/k8s-operator/generate/main_test.go

@@ -1,68 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !plan9 && !windows
-
-package main
-
-import (
-	"bytes"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
-	"testing"
-)
-
-func Test_generate(t *testing.T) {
-	base, err := os.Getwd()
-	base = filepath.Join(base, "../../../")
-	if err != nil {
-		t.Fatalf("error getting current working directory: %v", err)
-	}
-	defer cleanup(base)
-	if err := generate(base); err != nil {
-		t.Fatalf("CRD template generation: %v", err)
-	}
-
-	tempDir := t.TempDir()
-	helmCLIPath := filepath.Join(base, "tool/helm")
-	helmChartTemplatesPath := filepath.Join(base, "cmd/k8s-operator/deploy/chart")
-	helmPackageCmd := exec.Command(helmCLIPath, "package", helmChartTemplatesPath, "--destination", tempDir, "--version", "0.0.1")
-	helmPackageCmd.Stderr = os.Stderr
-	helmPackageCmd.Stdout = os.Stdout
-	if err := helmPackageCmd.Run(); err != nil {
-		t.Fatalf("error packaging Helm chart: %v", err)
-	}
-	helmPackagePath := filepath.Join(tempDir, "tailscale-operator-0.0.1.tgz")
-	helmLintCmd := exec.Command(helmCLIPath, "lint", helmPackagePath)
-	helmLintCmd.Stderr = os.Stderr
-	helmLintCmd.Stdout = os.Stdout
-	if err := helmLintCmd.Run(); err != nil {
-		t.Fatalf("Helm chart linter failed: %v", err)
-	}
-
-	// Test that default Helm install contains the CRD
-	installContentsWithCRD := bytes.NewBuffer([]byte{})
-	helmTemplateWithCRDCmd := exec.Command(helmCLIPath, "template", helmPackagePath)
-	helmTemplateWithCRDCmd.Stderr = os.Stderr
-	helmTemplateWithCRDCmd.Stdout = installContentsWithCRD
-	if err := helmTemplateWithCRDCmd.Run(); err != nil {
-		t.Fatalf("templating Helm chart with CRDs failed: %v", err)
-	}
-	if !strings.Contains(installContentsWithCRD.String(), "name: connectors.tailscale.com") {
-		t.Errorf("CRD not found in default chart install")
-	}
-
-	// Test that CRD can be excluded from Helm chart install
-	installContentsWithoutCRD := bytes.NewBuffer([]byte{})
-	helmTemplateWithoutCRDCmd := exec.Command(helmCLIPath, "template", helmPackagePath, "--set", "installCRDs=false")
-	helmTemplateWithoutCRDCmd.Stderr = os.Stderr
-	helmTemplateWithoutCRDCmd.Stdout = installContentsWithoutCRD
-	if err := helmTemplateWithoutCRDCmd.Run(); err != nil {
-		t.Fatalf("templating Helm chart without CRDs failed: %v", err)
-	}
-	if strings.Contains(installContentsWithoutCRD.String(), "name: connectors.tailscale.com") {
-		t.Errorf("CRD found in chart install that should not contain a CRD")
-	}
-}

cmd/k8s-operator/ingress.go

@@ -12,12 +12,10 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/pkg/errors"
 	"go.uber.org/zap"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -28,12 +26,6 @@ import (
 	"tailscale.com/util/set"
 )
 
-const (
-	tailscaleIngressClassName      = "tailscale"                                   // ingressClass.metadata.name for tailscale IngressClass resource
-	tailscaleIngressControllerName = "tailscale.com/ts-ingress"                    // ingressClass.spec.controllerName for tailscale IngressClass resource
-	ingressClassDefaultAnnotation  = "ingressclass.kubernetes.io/is-default-class" // we do not support this https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class
-)
-
 type IngressReconciler struct {
 	client.Client
 
@@ -117,10 +109,6 @@ func (a *IngressReconciler) maybeCleanup(ctx context.Context, logger *zap.Sugare
 // This function adds a finalizer to ing, ensuring that we can handle orderly
 // deprovisioning later.
 func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.SugaredLogger, ing *networkingv1.Ingress) error {
-	if err := a.validateIngressClass(ctx); err != nil {
-		logger.Warnf("error validating tailscale IngressClass: %v. In future this might be a terminal error.", err)
-
-	}
 	if !slices.Contains(ing.Finalizers, FinalizerName) {
 		// This log line is printed exactly once during initial provisioning,
 		// because once the finalizer is in place this block gets skipped. So,
@@ -217,15 +205,6 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 			continue
 		}
 		for _, p := range rule.HTTP.Paths {
-			// Send a warning if folks use Exact path type - to make
-			// it easier for us to support Exact path type matching
-			// in the future if needed.
-			// https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types
-			if *p.PathType == networkingv1.PathTypeExact {
-				msg := "Exact path type strict matching is currently not supported and requests will be routed as for Prefix path type. This behaviour might change in the future."
-				logger.Warnf(fmt.Sprintf("Unsupported Path type exact for path %s. %s", p.Path, msg))
-				a.recorder.Eventf(ing, corev1.EventTypeWarning, "UnsupportedPathTypeExact", msg)
-			}
 			addIngressBackend(&p.Backend, p.Path)
 		}
 	}
@@ -288,28 +267,5 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga
 func (a *IngressReconciler) shouldExpose(ing *networkingv1.Ingress) bool {
 	return ing != nil &&
 		ing.Spec.IngressClassName != nil &&
-		*ing.Spec.IngressClassName == tailscaleIngressClassName
-}
-
-// validateIngressClass attempts to validate that 'tailscale' IngressClass
-// included in Tailscale installation manifests exists and has not been modified
-// to attempt to enable features that we do not support.
-func (a *IngressReconciler) validateIngressClass(ctx context.Context) error {
-	ic := &networkingv1.IngressClass{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: tailscaleIngressClassName,
-		},
-	}
-	if err := a.Get(ctx, client.ObjectKeyFromObject(ic), ic); apierrors.IsNotFound(err) {
-		return errors.New("Tailscale IngressClass not found in cluster. Latest installation manifests include a tailscale IngressClass - please update")
-	} else if err != nil {
-		return fmt.Errorf("error retrieving 'tailscale' IngressClass: %w", err)
-	}
-	if ic.Spec.Controller != tailscaleIngressControllerName {
-		return fmt.Errorf("Tailscale Ingress class controller name %s does not match tailscale Ingress controller name %s. Ensure that you are using 'tailscale' IngressClass from latest Tailscale installation manifests", ic.Spec.Controller, tailscaleIngressControllerName)
-	}
-	if ic.GetAnnotations()[ingressClassDefaultAnnotation] != "" {
-		return fmt.Errorf("%s annotation is set on 'tailscale' IngressClass, but Tailscale Ingress controller does not support default Ingress class. Ensure that you are using 'tailscale' IngressClass from latest Tailscale installation manifests", ingressClassDefaultAnnotation)
-	}
-	return nil
+		*ing.Spec.IngressClassName == "tailscale"
 }

cmd/k8s-operator/operator.go

@@ -45,7 +45,7 @@ import (
 )
 
 // Generate static manifests for deploying Tailscale operator on Kubernetes from the operator's Helm chart.
-//go:generate go run tailscale.com/cmd/k8s-operator/generate staticmanifests
+//go:generate go run tailscale.com/cmd/k8s-operator/generate
 
 // Generate Connector CustomResourceDefinition yaml from its Go types.
 //go:generate go run sigs.k8s.io/controller-tools/cmd/controller-gen crd schemapatch:manifests=./deploy/crds output:dir=./deploy/crds paths=../../k8s-operator/apis/...
@@ -62,6 +62,7 @@ func main() {
 		priorityClassName = defaultEnv("PROXY_PRIORITY_CLASS_NAME", "")
 		tags              = defaultEnv("PROXY_TAGS", "tag:k8s")
 		tsFirewallMode    = defaultEnv("PROXY_FIREWALL_MODE", "")
+		tsEnableConnector = defaultBool("ENABLE_CONNECTOR", false)
 	)
 
 	var opts []kzap.Opts
@@ -92,7 +93,7 @@ func main() {
 	maybeLaunchAPIServerProxy(zlog, restConfig, s, mode)
 	// TODO (irbekrm): gather the reconciler options into an opts struct
 	// rather than passing a million of them in one by one.
-	runReconcilers(zlog, s, tsNamespace, restConfig, tsClient, image, priorityClassName, tags, tsFirewallMode)
+	runReconcilers(zlog, s, tsNamespace, restConfig, tsClient, image, priorityClassName, tags, tsFirewallMode, tsEnableConnector)
 }
 
 // initTSNet initializes the tsnet.Server and logs in to Tailscale. It uses the
@@ -200,7 +201,7 @@ waitOnline:
 
 // runReconcilers starts the controller-runtime manager and registers the
 // ServiceReconciler. It blocks forever.
-func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string, restConfig *rest.Config, tsClient *tailscale.Client, image, priorityClassName, tags, tsFirewallMode string) {
+func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string, restConfig *rest.Config, tsClient *tailscale.Client, image, priorityClassName, tags, tsFirewallMode string, enableConnector bool) {
 	var (
 		isDefaultLoadBalancer = defaultBool("OPERATOR_DEFAULT_LOAD_BALANCER", false)
 	)
@@ -215,16 +216,15 @@ func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string
 		Field: client.InNamespace(tsNamespace).AsSelector(),
 	}
 	mgrOpts := manager.Options{
-		// TODO (irbekrm): stricter filtering what we watch/cache/call
-		// reconcilers on. c/r by default starts a watch on any
-		// resources that we GET via the controller manager's client.
 		Cache: cache.Options{
 			ByObject: map[client.Object]cache.ByObject{
 				&corev1.Secret{}:      nsFilter,
 				&appsv1.StatefulSet{}: nsFilter,
 			},
 		},
-		Scheme: tsapi.GlobalScheme,
+	}
+	if enableConnector {
+		mgrOpts.Scheme = tsapi.GlobalScheme
 	}
 	mgr, err := manager.New(restConfig, mgrOpts)
 	if err != nil {
@@ -278,20 +278,22 @@ func runReconcilers(zlog *zap.SugaredLogger, s *tsnet.Server, tsNamespace string
 		startlog.Fatalf("could not create controller: %v", err)
 	}
 
-	connectorFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("connector"))
-	err = builder.ControllerManagedBy(mgr).
-		For(&tsapi.Connector{}).
-		Watches(&appsv1.StatefulSet{}, connectorFilter).
-		Watches(&corev1.Secret{}, connectorFilter).
-		Complete(&ConnectorReconciler{
-			ssr:      ssr,
-			recorder: eventRecorder,
-			Client:   mgr.GetClient(),
-			logger:   zlog.Named("connector-reconciler"),
-			clock:    tstime.DefaultClock{},
-		})
-	if err != nil {
-		startlog.Fatal("could not create connector reconciler: %v", err)
+	if enableConnector {
+		connectorFilter := handler.EnqueueRequestsFromMapFunc(managedResourceHandlerForType("subnetrouter"))
+		err = builder.ControllerManagedBy(mgr).
+			For(&tsapi.Connector{}).
+			Watches(&appsv1.StatefulSet{}, connectorFilter).
+			Watches(&corev1.Secret{}, connectorFilter).
+			Complete(&ConnectorReconciler{
+				ssr:      ssr,
+				recorder: eventRecorder,
+				Client:   mgr.GetClient(),
+				logger:   zlog.Named("connector-reconciler"),
+				clock:    tstime.DefaultClock{},
+			})
+		if err != nil {
+			startlog.Fatal("could not create connector reconciler: %v", err)
+		}
 	}
 	startlog.Infof("Startup complete, operator running, version: %s", version.Long())
 	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {

cmd/k8s-operator/proxy.go

@@ -6,6 +6,7 @@
 package main
 
 import (
+	"context"
 	"crypto/tls"
 	"fmt"
 	"log"
@@ -23,11 +24,22 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/tsnet"
 	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/ctxkey"
 	"tailscale.com/util/set"
 )
 
-var whoIsKey = ctxkey.New("", (*apitype.WhoIsResponse)(nil))
+type whoIsKey struct{}
+
+// whoIsFromRequest returns the WhoIsResponse previously stashed by a call to
+// addWhoIsToRequest.
+func whoIsFromRequest(r *http.Request) *apitype.WhoIsResponse {
+	return r.Context().Value(whoIsKey{}).(*apitype.WhoIsResponse)
+}
+
+// addWhoIsToRequest stashes who in r's context, retrievable by a call to
+// whoIsFromRequest.
+func addWhoIsToRequest(r *http.Request, who *apitype.WhoIsResponse) *http.Request {
+	return r.WithContext(context.WithValue(r.Context(), whoIsKey{}, who))
+}
 
 var counterNumRequestsProxied = clientmetric.NewCounter("k8s_auth_proxy_requests_proxied")
 
@@ -115,7 +127,7 @@ func (h *apiserverProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	counterNumRequestsProxied.Add(1)
-	h.rp.ServeHTTP(w, r.WithContext(whoIsKey.WithValue(r.Context(), who)))
+	h.rp.ServeHTTP(w, addWhoIsToRequest(r, who))
 }
 
 // runAPIServerProxy runs an HTTP server that authenticates requests using the
@@ -228,7 +240,7 @@ type impersonateRule struct {
 // in the context by the apiserverProxy.
 func addImpersonationHeaders(r *http.Request, log *zap.SugaredLogger) error {
 	log = log.With("remote", r.RemoteAddr)
-	who := whoIsKey.Value(r.Context())
+	who := whoIsFromRequest(r)
 	rules, err := tailcfg.UnmarshalCapJSON[capRule](who.CapMap, capabilityName)
 	if len(rules) == 0 && err == nil {
 		// Try the old capability name for backwards compatibility.

cmd/k8s-operator/proxy_test.go

@@ -95,7 +95,7 @@ func TestImpersonationHeaders(t *testing.T) {
 
 	for _, tc := range tests {
 		r := must.Get(http.NewRequest("GET", "https://op.ts.net/api/foo", nil))
-		r = r.WithContext(whoIsKey.WithValue(r.Context(), &apitype.WhoIsResponse{
+		r = addWhoIsToRequest(r, &apitype.WhoIsResponse{
 			Node: &tailcfg.Node{
 				Name: "node.ts.net",
 				Tags: tc.tags,
@@ -104,7 +104,7 @@ func TestImpersonationHeaders(t *testing.T) {
 				LoginName: tc.emailish,
 			},
 			CapMap: tc.capMap,
-		}))
+		})
 		addImpersonationHeaders(r, zl.Sugar())
 
 		if d := cmp.Diff(tc.wantHeaders, r.Header); d != "" {

cmd/k8s-operator/sts.go

@@ -214,17 +214,18 @@ const maxStatefulSetNameLength = 63 - 10 - 1
 // generation will NOT result in a StatefulSet name longer than 52 chars.
 // This is done because of https://github.com/kubernetes/kubernetes/issues/64023.
 func statefulSetNameBase(parent string) string {
+
 	base := fmt.Sprintf("ts-%s-", parent)
+
+	// Calculate what length name GenerateName returns for this base.
 	generator := names.SimpleNameGenerator
-	for {
-		generatedName := generator.GenerateName(base)
-		excess := len(generatedName) - maxStatefulSetNameLength
-		if excess <= 0 {
-			return base
-		}
-		base = base[:len(base)-1-excess] // cut off the excess chars
-		base = base + "-"                // re-instate the dash
+	generatedName := generator.GenerateName(base)
+
+	if excess := len(generatedName) - maxStatefulSetNameLength; excess > 0 {
+		base = base[:len(base)-excess-1] // take extra char off to make space for hyphen
+		base = base + "-"                // re-instate hyphen
 	}
+	return base
 }
 
 func (a *tailscaleSTSReconciler) reconcileHeadlessService(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig) (*corev1.Service, error) {
@@ -411,9 +412,6 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 		},
 	}
 	mak.Set(&ss.Spec.Template.Labels, "app", sts.ParentResourceUID)
-	for key, val := range sts.ChildResourceLabels {
-		ss.Spec.Template.Labels[key] = val // sync StatefulSet labels to Pod to make it easier for users to select the Pod
-	}
 
 	// Generic containerboot configuration options.
 	container.Env = append(container.Env,

cmd/k8s-operator/sts_test.go

@@ -6,9 +6,6 @@
 package main
 
 import (
-	"fmt"
-	"regexp"
-	"strings"
 	"testing"
 )
 
@@ -22,20 +19,32 @@ import (
 // https://github.com/kubernetes/kubernetes/blob/v1.28.4/staging/src/k8s.io/apiserver/pkg/storage/names/generate.go#L45.
 // https://github.com/kubernetes/kubernetes/pull/116430
 func Test_statefulSetNameBase(t *testing.T) {
-	// Service name lengths can be 1 - 63 chars, be paranoid and test them all.
-	var b strings.Builder
-	for b.Len() < 63 {
-		if _, err := b.WriteString("a"); err != nil {
-			t.Fatalf("error writing to string builder: %v", err)
-		}
-		baseLength := b.Len()
-		if baseLength > 43 {
-			baseLength = 43 // currently 43 is the max base length
-		}
-		wantsNameR := regexp.MustCompile(`^ts-a{` + fmt.Sprint(baseLength) + `}-$`) // to match a string like ts-aaaa-
-		gotName := statefulSetNameBase(b.String())
-		if !wantsNameR.MatchString(gotName) {
-			t.Fatalf("expected string %s to match regex %s ", gotName, wantsNameR.String()) // fatal rather than error as this test is called 63 times
-		}
+	tests := []struct {
+		name string
+		in   string
+		out  string
+	}{
+		{
+			name: "43 chars",
+			in:   "oidhexl9o832hcbhyg4uz6o0s7u9uae54h5k8ofs9xb",
+			out:  "ts-oidhexl9o832hcbhyg4uz6o0s7u9uae54h5k8ofs9xb-",
+		},
+		{
+			name: "44 chars",
+			in:   "oidhexl9o832hcbhyg4uz6o0s7u9uae54h5k8ofs9xbo",
+			out:  "ts-oidhexl9o832hcbhyg4uz6o0s7u9uae54h5k8ofs9xb-",
+		},
+		{
+			name: "42 chars",
+			in:   "oidhexl9o832hcbhyg4uz6o0s7u9uae54h5k8ofs9x",
+			out:  "ts-oidhexl9o832hcbhyg4uz6o0s7u9uae54h5k8ofs9x-",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := statefulSetNameBase(tt.in); got != tt.out {
+				t.Errorf("stsNamePrefix(%s) = %q, want %s", tt.in, got, tt.out)
+			}
+		})
 	}
 }

cmd/k8s-operator/testutils_test.go

@@ -147,13 +147,7 @@ func expectedSTS(opts configOpts) *appsv1.StatefulSet {
 				ObjectMeta: metav1.ObjectMeta{
 					Annotations:                annots,
 					DeletionGracePeriodSeconds: ptr.To[int64](10),
-					Labels: map[string]string{
-						"tailscale.com/managed":              "true",
-						"tailscale.com/parent-resource":      "test",
-						"tailscale.com/parent-resource-ns":   opts.namespace,
-						"tailscale.com/parent-resource-type": opts.parentType,
-						"app":                                "1234-UID",
-					},
+					Labels:                     map[string]string{"app": "1234-UID"},
 				},
 				Spec: corev1.PodSpec{
 					ServiceAccountName: "proxies",

cmd/stund/depaware.txt

@@ -66,7 +66,6 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         tailscale.com/types/tkatype                                  from tailscale.com/tailcfg+
         tailscale.com/types/views                                    from tailscale.com/net/tsaddr+
         tailscale.com/util/cmpx                                      from tailscale.com/tailcfg+
-        tailscale.com/util/ctxkey                                    from tailscale.com/tsweb+
    L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
         tailscale.com/util/dnsname                                   from tailscale.com/tailcfg
         tailscale.com/util/lineread                                  from tailscale.com/version/distro

cmd/tailscale/cli/exitnode.go

@@ -23,8 +23,6 @@ import (
 var exitNodeCmd = &ffcli.Command{
 	Name:       "exit-node",
 	ShortUsage: "exit-node [flags]",
-	ShortHelp:  "Show machines on your tailnet configured as exit nodes",
-	LongHelp:   "Show machines on your tailnet configured as exit nodes",
 	Subcommands: []*ffcli.Command{
 		{
 			Name:       "list",

cmd/tailscale/depaware.txt

@@ -19,8 +19,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
    L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
    L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
         github.com/google/uuid                                       from tailscale.com/util/quarantine+
-        github.com/gorilla/csrf                                      from tailscale.com/client/web
-        github.com/gorilla/securecookie                              from github.com/gorilla/csrf
+        github.com/gorilla/securecookie                              from github.com/tailscale/csrf
         github.com/hdevalence/ed25519consensus                       from tailscale.com/tka+
    L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
    L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
@@ -38,10 +37,10 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         github.com/peterbourgon/ff/v3                                from github.com/peterbourgon/ff/v3/ffcli
         github.com/peterbourgon/ff/v3/ffcli                          from tailscale.com/cmd/tailscale/cli
         github.com/peterbourgon/ff/v3/internal                       from github.com/peterbourgon/ff/v3
-        github.com/pkg/errors                                        from github.com/gorilla/csrf
         github.com/skip2/go-qrcode                                   from tailscale.com/cmd/tailscale/cli
         github.com/skip2/go-qrcode/bitset                            from github.com/skip2/go-qrcode+
         github.com/skip2/go-qrcode/reedsolomon                       from github.com/skip2/go-qrcode
+        github.com/tailscale/csrf                                    from tailscale.com/client/web
    W 💣 github.com/tailscale/go-winio                                from tailscale.com/safesocket
    W 💣 github.com/tailscale/go-winio/internal/fs                    from github.com/tailscale/go-winio
    W 💣 github.com/tailscale/go-winio/internal/socket                from github.com/tailscale/go-winio
@@ -143,7 +142,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/util/cloudenv                                  from tailscale.com/net/dnscache+
         tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy+
         tailscale.com/util/cmpx                                      from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/util/ctxkey                                    from tailscale.com/types/logger
    L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
         tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
         tailscale.com/util/groupmember                               from tailscale.com/client/web
@@ -261,14 +259,13 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         hash/adler32                                                 from compress/zlib
         hash/crc32                                                   from compress/gzip+
         hash/maphash                                                 from go4.org/mem
-        html                                                         from tailscale.com/ipn/ipnstate+
-        html/template                                                from github.com/gorilla/csrf
+        html                                                         from tailscale.com/ipn/ipnstate
         image                                                        from github.com/skip2/go-qrcode+
         image/color                                                  from github.com/skip2/go-qrcode+
         image/png                                                    from github.com/skip2/go-qrcode
         io                                                           from bufio+
         io/fs                                                        from crypto/x509+
-        io/ioutil                                                    from github.com/godbus/dbus/v5+
+        io/ioutil                                                    from golang.org/x/sys/cpu+
         log                                                          from expvar+
         log/internal                                                 from log
         maps                                                         from tailscale.com/types/views+
@@ -292,7 +289,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         os/exec                                                      from github.com/toqueteos/webbrowser+
         os/signal                                                    from tailscale.com/cmd/tailscale/cli
         os/user                                                      from tailscale.com/util/groupmember+
-        path                                                         from html/template+
+        path                                                         from archive/tar+
         path/filepath                                                from crypto/x509+
         reflect                                                      from crypto/x509+
         regexp                                                       from github.com/tailscale/goupnp/httpu+
@@ -308,8 +305,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         syscall                                                      from crypto/rand+
         testing                                                      from tailscale.com/util/syspolicy
         text/tabwriter                                               from github.com/peterbourgon/ff/v3/ffcli+
-        text/template                                                from html/template
-        text/template/parse                                          from html/template+
         time                                                         from compress/gzip+
         unicode                                                      from bytes+
         unicode/utf16                                                from encoding/asn1+

cmd/tailscaled/depaware.txt

@@ -95,8 +95,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
    L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
         github.com/google/uuid                                       from tailscale.com/clientupdate
-        github.com/gorilla/csrf                                      from tailscale.com/client/web
-        github.com/gorilla/securecookie                              from github.com/gorilla/csrf
+        github.com/gorilla/securecookie                              from github.com/tailscale/csrf
         github.com/hdevalence/ed25519consensus                       from tailscale.com/tka+
    L 💣 github.com/illarion/gonotify                                 from tailscale.com/net/dns
    L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
@@ -130,18 +129,19 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/pierrec/lz4/v4/internal/lz4errors                 from github.com/pierrec/lz4/v4+
    L    github.com/pierrec/lz4/v4/internal/lz4stream                 from github.com/pierrec/lz4/v4
    L    github.com/pierrec/lz4/v4/internal/xxh32                     from github.com/pierrec/lz4/v4/internal/lz4stream
-        github.com/pkg/errors                                        from github.com/gorilla/csrf
   LD    github.com/pkg/sftp                                          from tailscale.com/ssh/tailssh
   LD    github.com/pkg/sftp/internal/encoding/ssh/filexfer           from github.com/pkg/sftp
    L 💣 github.com/safchain/ethtool                                  from tailscale.com/net/netkernelconf
    W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
+        github.com/tailscale/csrf                                    from tailscale.com/client/web
    W 💣 github.com/tailscale/go-winio                                from tailscale.com/safesocket
    W 💣 github.com/tailscale/go-winio/internal/fs                    from github.com/tailscale/go-winio
    W 💣 github.com/tailscale/go-winio/internal/socket                from github.com/tailscale/go-winio
    W    github.com/tailscale/go-winio/internal/stringbuffer          from github.com/tailscale/go-winio/internal/fs
    W    github.com/tailscale/go-winio/pkg/guid                       from github.com/tailscale/go-winio+
         github.com/tailscale/golang-x-crypto/acme                    from tailscale.com/ipn/ipnlocal
-  LD    github.com/tailscale/golang-x-crypto/internal/poly1305       from github.com/tailscale/golang-x-crypto/ssh
+  LD    github.com/tailscale/golang-x-crypto/chacha20                from github.com/tailscale/golang-x-crypto/ssh
+  LD 💣 github.com/tailscale/golang-x-crypto/internal/alias          from github.com/tailscale/golang-x-crypto/chacha20
   LD    github.com/tailscale/golang-x-crypto/ssh                     from tailscale.com/ipn/ipnlocal+
   LD    github.com/tailscale/golang-x-crypto/ssh/internal/bcrypt_pbkdf from github.com/tailscale/golang-x-crypto/ssh
         github.com/tailscale/goupnp                                  from github.com/tailscale/goupnp/dcps/internetgateway2+
@@ -344,11 +344,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/cloudenv                                  from tailscale.com/net/dns/resolver+
         tailscale.com/util/cmpver                                    from tailscale.com/net/dns+
         tailscale.com/util/cmpx                                      from tailscale.com/derp/derphttp+
-        tailscale.com/util/ctxkey                                    from tailscale.com/ipn/ipnlocal+
      💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
    L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics+
         tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
-        tailscale.com/util/execqueue                                 from tailscale.com/control/controlclient+
         tailscale.com/util/goroutines                                from tailscale.com/ipn/ipnlocal
         tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnauth+
      💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
@@ -404,10 +402,11 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
         golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
         golang.org/x/crypto/curve25519                               from github.com/tailscale/golang-x-crypto/ssh+
+  LD    golang.org/x/crypto/ed25519                                  from github.com/tailscale/golang-x-crypto/ssh
         golang.org/x/crypto/hkdf                                     from crypto/tls+
         golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device+
+        golang.org/x/crypto/poly1305                                 from github.com/tailscale/golang-x-crypto/ssh+
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
   LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
         golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe+
@@ -494,7 +493,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         hash/fnv                                                     from tailscale.com/wgengine/magicsock+
         hash/maphash                                                 from go4.org/mem
         html                                                         from tailscale.com/ipn/ipnlocal+
-        html/template                                                from github.com/gorilla/csrf
         io                                                           from bufio+
         io/fs                                                        from crypto/x509+
         io/ioutil                                                    from github.com/godbus/dbus/v5+
@@ -540,8 +538,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         syscall                                                      from crypto/rand+
         testing                                                      from tailscale.com/util/syspolicy
         text/tabwriter                                               from runtime/pprof
-        text/template                                                from html/template
-        text/template/parse                                          from html/template+
         time                                                         from compress/gzip+
         unicode                                                      from bytes+
         unicode/utf16                                                from crypto/x509+

control/controlclient/auto.go

@@ -22,7 +22,6 @@ import (
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/structs"
-	"tailscale.com/util/execqueue"
 )
 
 type LoginGoal struct {
@@ -119,7 +118,7 @@ type Auto struct {
 	closed        bool
 	updateCh      chan struct{} // readable when we should inform the server of a change
 	observer      Observer      // called to update Client status; always non-nil
-	observerQueue execqueue.ExecQueue
+	observerQueue execQueue
 
 	unregisterHealthWatch func()
 
@@ -676,7 +675,7 @@ func (c *Auto) Shutdown() {
 	direct := c.direct
 	if !closed {
 		c.closed = true
-		c.observerQueue.Shutdown()
+		c.observerQueue.shutdown()
 		c.cancelAuthCtxLocked()
 		c.cancelMapCtxLocked()
 		for _, w := range c.unpauseWaiters {
@@ -697,7 +696,7 @@ func (c *Auto) Shutdown() {
 		}
 		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
-		c.observerQueue.Wait(ctx)
+		c.observerQueue.wait(ctx)
 		c.logf("Client.Shutdown done.")
 	}
 }
@@ -738,3 +737,95 @@ func (c *Auto) DoNoiseRequest(req *http.Request) (*http.Response, error) {
 func (c *Auto) GetSingleUseNoiseRoundTripper(ctx context.Context) (http.RoundTripper, *tailcfg.EarlyNoise, error) {
 	return c.direct.GetSingleUseNoiseRoundTripper(ctx)
 }
+
+type execQueue struct {
+	mu         sync.Mutex
+	closed     bool
+	inFlight   bool          // whether a goroutine is running q.run
+	doneWaiter chan struct{} // non-nil if waiter is waiting, then closed
+	queue      []func()
+}
+
+func (q *execQueue) Add(f func()) {
+	q.mu.Lock()
+	defer q.mu.Unlock()
+	if q.closed {
+		return
+	}
+	if q.inFlight {
+		q.queue = append(q.queue, f)
+	} else {
+		q.inFlight = true
+		go q.run(f)
+	}
+}
+
+// RunSync waits for the queue to be drained and then synchronously runs f.
+// It returns an error if the queue is closed before f is run or ctx expires.
+func (q *execQueue) RunSync(ctx context.Context, f func()) error {
+	for {
+		if err := q.wait(ctx); err != nil {
+			return err
+		}
+		q.mu.Lock()
+		if q.inFlight {
+			q.mu.Unlock()
+			continue
+		}
+		defer q.mu.Unlock()
+		if q.closed {
+			return errors.New("closed")
+		}
+		f()
+		return nil
+	}
+}
+
+func (q *execQueue) run(f func()) {
+	f()
+
+	q.mu.Lock()
+	for len(q.queue) > 0 && !q.closed {
+		f := q.queue[0]
+		q.queue[0] = nil
+		q.queue = q.queue[1:]
+		q.mu.Unlock()
+		f()
+		q.mu.Lock()
+	}
+	q.inFlight = false
+	q.queue = nil
+	if q.doneWaiter != nil {
+		close(q.doneWaiter)
+		q.doneWaiter = nil
+	}
+	q.mu.Unlock()
+}
+
+func (q *execQueue) shutdown() {
+	q.mu.Lock()
+	defer q.mu.Unlock()
+	q.closed = true
+}
+
+// wait waits for the queue to be empty.
+func (q *execQueue) wait(ctx context.Context) error {
+	q.mu.Lock()
+	waitCh := q.doneWaiter
+	if q.inFlight && waitCh == nil {
+		waitCh = make(chan struct{})
+		q.doneWaiter = waitCh
+	}
+	q.mu.Unlock()
+
+	if waitCh == nil {
+		return nil
+	}
+
+	select {
+	case <-waitCh:
+		return nil
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+}

derp/derp_client.go

@@ -159,16 +159,16 @@ func (c *Client) parseServerInfo(b []byte) (*serverInfo, error) {
 }
 
 type clientInfo struct {
+	// Version is the DERP protocol version that the client was built with.
+	// See the ProtocolVersion const.
+	Version int `json:"version,omitempty"`
+
 	// MeshKey optionally specifies a pre-shared key used by
 	// trusted clients.  It's required to subscribe to the
 	// connection list & forward packets. It's empty for regular
 	// users.
 	MeshKey string `json:"meshKey,omitempty"`
 
-	// Version is the DERP protocol version that the client was built with.
-	// See the ProtocolVersion const.
-	Version int `json:"version,omitempty"`
-
 	// CanAckPings is whether the client declares it's able to ack
 	// pings.
 	CanAckPings bool

derp/derp_server.go

@@ -712,6 +712,7 @@ func (s *Server) accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, rem
 		bw:             bw,
 		logf:           logger.WithPrefix(s.logf, fmt.Sprintf("derp client %v%s: ", remoteAddr, clientKey.ShortString())),
 		done:           ctx.Done(),
+		remoteAddr:     remoteAddr,
 		remoteIPPort:   remoteIPPort,
 		connectedAt:    s.clock.Now(),
 		sendQueue:      make(chan pkt, perClientSendQueueDepth),
@@ -1316,6 +1317,7 @@ type sclient struct {
 	info           clientInfo
 	logf           logger.Logf
 	done           <-chan struct{}  // closed when connection closes
+	remoteAddr     string           // usually ip:port from net.Conn.RemoteAddr().String()
 	remoteIPPort   netip.AddrPort   // zero if remoteAddr is not ip:port.
 	sendQueue      chan pkt         // packets queued to this client; never closed
 	discoSendQueue chan pkt         // important packets queued to this client; never closed
@@ -1352,13 +1354,16 @@ type sclient struct {
 // peerConnState represents whether a peer is connected to the server
 // or not.
 type peerConnState struct {
-	ipPort  netip.AddrPort // if present, the peer's IP:port
 	peer    key.NodePublic
 	present bool
+	ipPort  netip.AddrPort // if present, the peer's IP:port
 }
 
 // pkt is a request to write a data frame to an sclient.
 type pkt struct {
+	// src is the who's the sender of the packet.
+	src key.NodePublic
+
 	// enqueuedAt is when a packet was put onto a queue before it was sent,
 	// and is used for reporting metrics on the duration of packets in the queue.
 	enqueuedAt time.Time
@@ -1366,9 +1371,6 @@ type pkt struct {
 	// bs is the data packet bytes.
 	// The memory is owned by pkt.
 	bs []byte
-
-	// src is the who's the sender of the packet.
-	src key.NodePublic
 }
 
 // peerGoneMsg is a request to write a peerGone frame to an sclient
@@ -1571,17 +1573,6 @@ func (c *sclient) sendMeshUpdates() error {
 	c.s.mu.Lock()
 	defer c.s.mu.Unlock()
 
-	// allow all happened-before mesh update request goroutines to complete, if
-	// we don't finish the task we'll queue another below.
-drainUpdates:
-	for {
-		select {
-		case <-c.meshUpdate:
-		default:
-			break drainUpdates
-		}
-	}
-
 	writes := 0
 	for _, pcs := range c.peerStateChange {
 		if c.bw.Available() <= frameHeaderLen+keyLen {

flake.nix

@@ -120,4 +120,4 @@
   in
     flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
 }
-# nix-direnv cache busting line: sha256-BK1zugKGtx2RpWHDvFZaFqz/YdoewsG8SscGt25uwtQ=
+# nix-direnv cache busting line: sha256-uMVRdgO/HTs0CKqWPUFEL/rFvzio1vblTUaz5Cgi+5Q=

go.mod

@@ -61,14 +61,15 @@ require (
 	github.com/safchain/ethtool v0.3.0
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e
+	github.com/tailscale/csrf v0.0.0-20240109230941-966d36861f16
 	github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
-	github.com/tailscale/golang-x-crypto v0.0.0-20240108194725-7ce1f622c780
+	github.com/tailscale/golang-x-crypto v0.0.0-20230713185742-f0b76a10a08e
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05
 	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a
 	github.com/tailscale/mkctr v0.0.0-20240102155253-bf50773ba734
 	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85
-	github.com/tailscale/web-client-prebuilt v0.0.0-20240111230031-5ca22df9e6e7
+	github.com/tailscale/web-client-prebuilt v0.0.0-20231213172531-a4fa669015b2
 	github.com/tailscale/wireguard-go v0.0.0-20231121184858-cc193a0b3272
 	github.com/tc-hib/winres v0.2.1
 	github.com/tcnksm/go-httpstat v0.2.0
@@ -79,14 +80,14 @@ require (
 	go.uber.org/zap v1.26.0
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13
 	go4.org/netipx v0.0.0-20230824141953-6213f710f925
-	golang.org/x/crypto v0.17.1-0.20240102205709-08396bb92b82
+	golang.org/x/crypto v0.15.0
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9
 	golang.org/x/mod v0.14.0
 	golang.org/x/net v0.18.0
 	golang.org/x/oauth2 v0.12.0
 	golang.org/x/sync v0.5.0
 	golang.org/x/sys v0.15.0
-	golang.org/x/term v0.15.0
+	golang.org/x/term v0.14.0
 	golang.org/x/time v0.3.0
 	golang.org/x/tools v0.15.0
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
@@ -114,7 +115,7 @@ require (
 	github.com/dave/brenda v1.1.0 // indirect
 	github.com/gobuffalo/flect v1.0.2 // indirect
 	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
-	github.com/gorilla/securecookie v1.1.1 // indirect
+	github.com/gorilla/securecookie v1.1.2 // indirect
 )
 
 require (
@@ -224,7 +225,6 @@ require (
 	github.com/gordonklaus/ineffassign v0.0.0-20230107090616-13ace0543b28 // indirect
 	github.com/goreleaser/chglog v0.5.0 // indirect
 	github.com/goreleaser/fileglob v1.3.0 // indirect
-	github.com/gorilla/csrf v1.7.1
 	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
 	github.com/gostaticanalysis/comment v1.4.2 // indirect
 	github.com/gostaticanalysis/forcetypeassert v0.1.0 // indirect

go.mod.sri

@@ -1 +1 @@
-sha256-BK1zugKGtx2RpWHDvFZaFqz/YdoewsG8SscGt25uwtQ=
+sha256-uMVRdgO/HTs0CKqWPUFEL/rFvzio1vblTUaz5Cgi+5Q=

go.sum

@@ -496,10 +496,8 @@ github.com/goreleaser/fileglob v1.3.0 h1:/X6J7U8lbDpQtBvGcwwPS6OpzkNVlVEsFUVRx9+
 github.com/goreleaser/fileglob v1.3.0/go.mod h1:Jx6BoXv3mbYkEzwm9THo7xbr5egkAraxkGorbJb4RxU=
 github.com/goreleaser/nfpm/v2 v2.33.1 h1:EkdAzZyVhAI9JC1vjmjjbmnNzyH1J6Cu4JCsA7YcQuc=
 github.com/goreleaser/nfpm/v2 v2.33.1/go.mod h1:8wwWWvJWmn84xo/Sqiv0aMvEGTHlHZTXTEuVSgQpkIM=
-github.com/gorilla/csrf v1.7.1 h1:Ir3o2c1/Uzj6FBxMlAUB6SivgVMy1ONXwYgXn+/aHPE=
-github.com/gorilla/csrf v1.7.1/go.mod h1:+a/4tCmqhG6/w4oafeAZ9pEa3/NZOWYVbD9fV0FwIQA=
-github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
-github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
@@ -882,14 +880,16 @@ github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c h1:+aPplB
 github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c/go.mod h1:SbErYREK7xXdsRiigaQiQkI9McGRzYMvlKYaP3Nimdk=
 github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e h1:PtWT87weP5LWHEY//SWsYkSO3RWRZo4OSWagh3YD2vQ=
 github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e/go.mod h1:XrBNfAFN+pwoWuksbFS9Ccxnopa15zJGgXRFN90l3K4=
+github.com/tailscale/csrf v0.0.0-20240109230941-966d36861f16 h1:ALxSJ4KoXENNx1f3L+LD/QuY/FpWadzAMtWIa1Po+jk=
+github.com/tailscale/csrf v0.0.0-20240109230941-966d36861f16/go.mod h1:DkNNZmUscMpGHYJVVqyAqMVY6goWltxvnDSMKuDsxlU=
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 h1:34icjjmqJ2HPjrSuJYEkdZ+0ItmGQAQ75cRHIiftIyE=
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8Jj4P4c1a3CtQyMaTVCznlkLZI++hok4=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55/go.mod h1:4k4QO+dQ3R5FofL+SanAUZe+/QfeK0+OIuwDIRu2vSg=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 h1:/V2rCMMWcsjYaYO2MeovLw+ClP63OtXgCF2Y1eb8+Ns=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41/go.mod h1:/roCdA6gg6lQyw/Oz6gIIGu3ggJKYhF+WC/AQReE5XQ=
-github.com/tailscale/golang-x-crypto v0.0.0-20240108194725-7ce1f622c780 h1:U0J2CUrrTcc2wmr9tSLYEo+USfwNikRRsmxVLD4eZ7E=
-github.com/tailscale/golang-x-crypto v0.0.0-20240108194725-7ce1f622c780/go.mod h1:ikbF+YT089eInTp9f2vmvy4+ZVnW5hzX1q2WknxSprQ=
+github.com/tailscale/golang-x-crypto v0.0.0-20230713185742-f0b76a10a08e h1:JyeJF/HuSwvxWtsR1c0oKX1lzaSH5Wh4aX+MgiStaGQ=
+github.com/tailscale/golang-x-crypto v0.0.0-20230713185742-f0b76a10a08e/go.mod h1:DjoeCULdP6vTJ/xY+nzzR9LaUHprkbZEpNidX0aqEEk=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8=
 github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29XwJucQo73FrleVK6t4kYz4NVhp34Yw=
@@ -898,8 +898,8 @@ github.com/tailscale/mkctr v0.0.0-20240102155253-bf50773ba734 h1:93cvKHbvsPK3MKf
 github.com/tailscale/mkctr v0.0.0-20240102155253-bf50773ba734/go.mod h1:6v53VHLmLKUaqWMpSGDeRWhltLSCEteMItYoiKLpdJk=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 h1:zrsUcqrG2uQSPhaUPjUQwozcRdDdSxxqhNgNZ3drZFk=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
-github.com/tailscale/web-client-prebuilt v0.0.0-20240111230031-5ca22df9e6e7 h1:xAgOVncJuuxkFZ2oXXDKFTH4HDdFYSZRYdA6oMrCewg=
-github.com/tailscale/web-client-prebuilt v0.0.0-20240111230031-5ca22df9e6e7/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
+github.com/tailscale/web-client-prebuilt v0.0.0-20231213172531-a4fa669015b2 h1:lR1voET3dwe3CxacGAiva4k08TXtQ6Dlmult4JILlj4=
+github.com/tailscale/web-client-prebuilt v0.0.0-20231213172531-a4fa669015b2/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tailscale/wireguard-go v0.0.0-20231121184858-cc193a0b3272 h1:zwsem4CaamMdC3tFoTpzrsUSMDPV0K6rhnQdF7kXekQ=
 github.com/tailscale/wireguard-go v0.0.0-20231121184858-cc193a0b3272/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
@@ -1004,8 +1004,8 @@ golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.17.1-0.20240102205709-08396bb92b82 h1:Im4GabMwJDxh7eJBIF8XGVAyhmlqdBQmZV49AzWdKEk=
-golang.org/x/crypto v0.17.1-0.20240102205709-08396bb92b82/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA=
+golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1207,8 +1207,8 @@ golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
 golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
-golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+golang.org/x/term v0.14.0 h1:LGK9IlZ8T9jvdy6cTdfKUCltatMFOehAQo9SRC46UQ8=
+golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

ipn/ipnauth/ipnauth.go

@@ -46,8 +46,6 @@ type WindowsToken interface {
 	// IsElevated reports whether the receiver is currently executing as an
 	// elevated administrative user.
 	IsElevated() bool
-	// IsLocalSystem reports whether the receiver is the built-in SYSTEM user.
-	IsLocalSystem() bool
 	// UserDir returns the special directory identified by folderID as associated
 	// with the receiver. folderID must be one of the KNOWNFOLDERID values from
 	// the x/sys/windows package, serialized as a stringified GUID.

ipn/ipnauth/ipnauth_windows.go

@@ -93,12 +93,6 @@ func (t *token) IsElevated() bool {
 	return t.t.IsElevated()
 }
 
-func (t *token) IsLocalSystem() bool {
-	// https://web.archive.org/web/2024/https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
-	const systemUID = ipn.WindowsUserID("S-1-5-18")
-	return t.IsUID(systemUID)
-}
-
 func (t *token) UserDir(folderID string) (string, error) {
 	guid, err := windows.GUIDFromString(folderID)
 	if err != nil {

ipn/ipnlocal/local.go

@@ -2735,16 +2735,6 @@ func (b *LocalBackend) CheckIPNConnectionAllowed(ci *ipnauth.ConnIdentity) error
 	if !b.pm.CurrentPrefs().ForceDaemon() {
 		return nil
 	}
-
-	// Always allow Windows SYSTEM user to connect,
-	// even if Tailscale is currently being used by another user.
-	if tok, err := ci.WindowsToken(); err == nil {
-		defer tok.Close()
-		if tok.IsLocalSystem() {
-			return nil
-		}
-	}
-
 	uid := ci.WindowsUserID()
 	if uid == "" {
 		return errors.New("empty user uid in connection identity")
@@ -3446,21 +3436,15 @@ func (b *LocalBackend) reconfigAppConnectorLocked(nm *netmap.NetworkMap, prefs i
 		})
 	}
 
-	var (
-		domains []string
-		routes  []netip.Prefix
-	)
+	var domains []string
 	for _, attr := range attrs {
 		if slices.Contains(attr.Connectors, "*") || selfHasTag(attr.Connectors) {
 			domains = append(domains, attr.Domains...)
-			routes = append(routes, attr.Routes...)
 		}
 	}
 	slices.Sort(domains)
-	slices.SortFunc(routes, func(i, j netip.Prefix) int { return i.Addr().Compare(j.Addr()) })
 	domains = slices.Compact(domains)
-	routes = slices.Compact(routes)
-	b.appConnector.UpdateDomainsAndRoutes(domains, routes)
+	b.appConnector.UpdateDomains(domains)
 }
 
 // authReconfig pushes a new configuration into wgengine, if engine
@@ -5790,73 +5774,21 @@ var ErrDisallowedAutoRoute = errors.New("route is not allowed")
 // AdvertiseRoute implements the appc.RouteAdvertiser interface. It sets a new
 // route advertisement if one is not already present in the existing routes.
 // If the route is disallowed, ErrDisallowedAutoRoute is returned.
-func (b *LocalBackend) AdvertiseRoute(ipps ...netip.Prefix) error {
-	finalRoutes := b.Prefs().AdvertiseRoutes().AsSlice()
-	newRoutes := false
-
-	for _, ipp := range ipps {
-		if !allowedAutoRoute(ipp) {
-			continue
-		}
-		if slices.Contains(finalRoutes, ipp) {
-			continue
-		}
-
-		// If the new prefix is already contained by existing routes, skip it.
-		if coveredRouteRange(finalRoutes, ipp) {
-			continue
-		}
-
-		finalRoutes = append(finalRoutes, ipp)
-		newRoutes = true
+func (b *LocalBackend) AdvertiseRoute(ipp netip.Prefix) error {
+	if !allowedAutoRoute(ipp) {
+		return ErrDisallowedAutoRoute
 	}
-
-	if !newRoutes {
+	currentRoutes := b.Prefs().AdvertiseRoutes()
+	if currentRoutes.ContainsFunc(func(r netip.Prefix) bool {
+		// TODO(raggi): add support for subset checks and avoid subset route creations.
+		return ipp.IsSingleIP() && r.Contains(ipp.Addr()) || r == ipp
+	}) {
 		return nil
 	}
-
+	routes := append(currentRoutes.AsSlice(), ipp)
 	_, err := b.EditPrefs(&ipn.MaskedPrefs{
 		Prefs: ipn.Prefs{
-			AdvertiseRoutes: finalRoutes,
-		},
-		AdvertiseRoutesSet: true,
-	})
-	return err
-}
-
-// coveredRouteRange checks if a route is already included in a slice of
-// prefixes.
-func coveredRouteRange(finalRoutes []netip.Prefix, ipp netip.Prefix) bool {
-	for _, r := range finalRoutes {
-		if ipp.IsSingleIP() {
-			if r.Contains(ipp.Addr()) {
-				return true
-			}
-		} else {
-			if r.Contains(ipp.Addr()) && r.Contains(netipx.PrefixLastIP(ipp)) {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-// UnadvertiseRoute implements the appc.RouteAdvertiser interface. It removes
-// a route advertisement if one is present in the existing routes.
-func (b *LocalBackend) UnadvertiseRoute(toRemove ...netip.Prefix) error {
-	currentRoutes := b.Prefs().AdvertiseRoutes().AsSlice()
-	finalRoutes := currentRoutes[:0]
-
-	for _, ipp := range currentRoutes {
-		if slices.Contains(toRemove, ipp) {
-			continue
-		}
-		finalRoutes = append(finalRoutes, ipp)
-	}
-
-	_, err := b.EditPrefs(&ipn.MaskedPrefs{
-		Prefs: ipn.Prefs{
-			AdvertiseRoutes: finalRoutes,
+			AdvertiseRoutes: routes,
 		},
 		AdvertiseRoutesSet: true,
 	})

ipn/ipnlocal/local_test.go

@@ -18,7 +18,6 @@ import (
 	"go4.org/netipx"
 	"golang.org/x/net/dns/dnsmessage"
 	"tailscale.com/appc"
-	"tailscale.com/appc/appctest"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
@@ -1170,13 +1169,6 @@ func TestRouteAdvertiser(t *testing.T) {
 	if routes.Len() != 1 || routes.At(0) != testPrefix {
 		t.Fatalf("got routes %v, want %v", routes, []netip.Prefix{testPrefix})
 	}
-
-	must.Do(ra.UnadvertiseRoute(testPrefix))
-
-	routes = b.Prefs().AdvertiseRoutes()
-	if routes.Len() != 0 {
-		t.Fatalf("got routes %v, want none", routes)
-	}
 }
 
 func TestRouterAdvertiserIgnoresContainedRoutes(t *testing.T) {
@@ -1205,52 +1197,14 @@ func TestObserveDNSResponse(t *testing.T) {
 	// ensure no error when no app connector is configured
 	b.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
 
-	rc := &appctest.RouteCollector{}
+	rc := &routeCollector{}
 	b.appConnector = appc.NewAppConnector(t.Logf, rc)
 	b.appConnector.UpdateDomains([]string{"example.com"})
-	b.appConnector.Wait(context.Background())
 
 	b.ObserveDNSResponse(dnsResponse("example.com.", "192.0.0.8"))
-	b.appConnector.Wait(context.Background())
 	wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
-	if !slices.Equal(rc.Routes(), wantRoutes) {
-		t.Fatalf("got routes %v, want %v", rc.Routes(), wantRoutes)
-	}
-}
-
-func TestCoveredRouteRange(t *testing.T) {
-	tests := []struct {
-		existingRoute netip.Prefix
-		newRoute      netip.Prefix
-		want          bool
-	}{
-		{
-			existingRoute: netip.MustParsePrefix("192.0.0.1/32"),
-			newRoute:      netip.MustParsePrefix("192.0.0.1/32"),
-			want:          true,
-		},
-		{
-			existingRoute: netip.MustParsePrefix("192.0.0.1/32"),
-			newRoute:      netip.MustParsePrefix("192.0.0.2/32"),
-			want:          false,
-		},
-		{
-			existingRoute: netip.MustParsePrefix("192.0.0.0/24"),
-			newRoute:      netip.MustParsePrefix("192.0.0.1/32"),
-			want:          true,
-		},
-		{
-			existingRoute: netip.MustParsePrefix("192.0.0.0/16"),
-			newRoute:      netip.MustParsePrefix("192.0.0.0/24"),
-			want:          true,
-		},
-	}
-
-	for _, tt := range tests {
-		got := coveredRouteRange([]netip.Prefix{tt.existingRoute}, tt.newRoute)
-		if got != tt.want {
-			t.Errorf("coveredRouteRange(%v, %v) = %v, want %v", tt.existingRoute, tt.newRoute, got, tt.want)
-		}
+	if !slices.Equal(rc.routes, wantRoutes) {
+		t.Fatalf("got routes %v, want %v", rc.routes, wantRoutes)
 	}
 }
 
@@ -1289,7 +1243,6 @@ func TestReconfigureAppConnector(t *testing.T) {
 	}).View()
 
 	b.reconfigAppConnectorLocked(b.netMap, b.pm.prefs)
-	b.appConnector.Wait(context.Background())
 
 	want := []string{"example.com"}
 	if !slices.Equal(b.appConnector.Domains().AsSlice(), want) {
@@ -1389,6 +1342,16 @@ func dnsResponse(domain, address string) []byte {
 	return must.Get(b.Finish())
 }
 
+// routeCollector is a test helper that collects the list of routes advertised
+type routeCollector struct {
+	routes []netip.Prefix
+}
+
+func (rc *routeCollector) AdvertiseRoute(pfx netip.Prefix) error {
+	rc.routes = append(rc.routes, pfx)
+	return nil
+}
+
 type errorSyspolicyHandler struct {
 	t         *testing.T
 	err       error

ipn/ipnlocal/peerapi_test.go

@@ -23,7 +23,6 @@ import (
 	"go4.org/netipx"
 	"golang.org/x/net/dns/dnsmessage"
 	"tailscale.com/appc"
-	"tailscale.com/appc/appctest"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
@@ -686,11 +685,10 @@ func TestPeerAPIReplyToDNSQueries(t *testing.T) {
 }
 
 func TestPeerAPIReplyToDNSQueriesAreObserved(t *testing.T) {
-	ctx := context.Background()
 	var h peerAPIHandler
 	h.remoteAddr = netip.MustParseAddrPort("100.150.151.152:12345")
 
-	rc := &appctest.RouteCollector{}
+	rc := &routeCollector{}
 	eng, _ := wgengine.NewFakeUserspaceEngine(logger.Discard, 0)
 	pm := must.Get(newProfileManager(new(mem.Store), t.Logf))
 	h.ps = &peerAPIServer{
@@ -702,7 +700,6 @@ func TestPeerAPIReplyToDNSQueriesAreObserved(t *testing.T) {
 		},
 	}
 	h.ps.b.appConnector.UpdateDomains([]string{"example.com"})
-	h.ps.b.appConnector.Wait(ctx)
 
 	h.ps.resolver = &fakeResolver{}
 	f := filter.NewAllowAllForTest(logger.Discard)
@@ -720,11 +717,10 @@ func TestPeerAPIReplyToDNSQueriesAreObserved(t *testing.T) {
 	if w.Code != http.StatusOK {
 		t.Errorf("unexpected status code: %v", w.Code)
 	}
-	h.ps.b.appConnector.Wait(ctx)
 
 	wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
-	if !slices.Equal(rc.Routes(), wantRoutes) {
-		t.Errorf("got %v; want %v", rc.Routes(), wantRoutes)
+	if !slices.Equal(rc.routes, wantRoutes) {
+		t.Errorf("got %v; want %v", rc.routes, wantRoutes)
 	}
 }
 

ipn/ipnlocal/serve.go

@@ -34,7 +34,6 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/lazy"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/ctxkey"
 	"tailscale.com/util/mak"
 	"tailscale.com/version"
 )
@@ -49,7 +48,8 @@ const (
 // current etag of a resource.
 var ErrETagMismatch = errors.New("etag mismatch")
 
-var serveHTTPContextKey ctxkey.Key[*serveHTTPContext]
+// serveHTTPContextKey is the context.Value key for a *serveHTTPContext.
+type serveHTTPContextKey struct{}
 
 type serveHTTPContext struct {
 	SrcAddr  netip.AddrPort
@@ -433,7 +433,7 @@ func (b *LocalBackend) tcpHandlerForServe(dport uint16, srcAddr netip.AddrPort)
 		hs := &http.Server{
 			Handler: http.HandlerFunc(b.serveWebHandler),
 			BaseContext: func(_ net.Listener) context.Context {
-				return serveHTTPContextKey.WithValue(context.Background(), &serveHTTPContext{
+				return context.WithValue(context.Background(), serveHTTPContextKey{}, &serveHTTPContext{
 					SrcAddr:  srcAddr,
 					DestPort: dport,
 				})
@@ -500,6 +500,11 @@ func (b *LocalBackend) tcpHandlerForServe(dport uint16, srcAddr netip.AddrPort)
 	return nil
 }
 
+func getServeHTTPContext(r *http.Request) (c *serveHTTPContext, ok bool) {
+	c, ok = r.Context().Value(serveHTTPContextKey{}).(*serveHTTPContext)
+	return c, ok
+}
+
 func (b *LocalBackend) getServeHandler(r *http.Request) (_ ipn.HTTPHandlerView, at string, ok bool) {
 	var z ipn.HTTPHandlerView // zero value
 
@@ -516,7 +521,7 @@ func (b *LocalBackend) getServeHandler(r *http.Request) (_ ipn.HTTPHandlerView,
 		hostname = r.TLS.ServerName
 	}
 
-	sctx, ok := serveHTTPContextKey.ValueOk(r.Context())
+	sctx, ok := getServeHTTPContext(r)
 	if !ok {
 		b.logf("[unexpected] localbackend: no serveHTTPContext in request")
 		return z, "", false
@@ -679,7 +684,7 @@ func addProxyForwardedHeaders(r *httputil.ProxyRequest) {
 	if r.In.TLS != nil {
 		r.Out.Header.Set("X-Forwarded-Proto", "https")
 	}
-	if c, ok := serveHTTPContextKey.ValueOk(r.Out.Context()); ok {
+	if c, ok := getServeHTTPContext(r.Out); ok {
 		r.Out.Header.Set("X-Forwarded-For", c.SrcAddr.Addr().String())
 	}
 }
@@ -691,7 +696,7 @@ func (b *LocalBackend) addTailscaleIdentityHeaders(r *httputil.ProxyRequest) {
 	r.Out.Header.Del("Tailscale-User-Profile-Pic")
 	r.Out.Header.Del("Tailscale-Headers-Info")
 
-	c, ok := serveHTTPContextKey.ValueOk(r.Out.Context())
+	c, ok := getServeHTTPContext(r.Out)
 	if !ok {
 		return
 	}

ipn/ipnlocal/serve_test.go

@@ -158,7 +158,7 @@ func TestGetServeHandler(t *testing.T) {
 				TLS: &tls.ConnectionState{ServerName: serverName},
 			}
 			port := cmpx.Or(tt.port, 443)
-			req = req.WithContext(serveHTTPContextKey.WithValue(req.Context(), &serveHTTPContext{
+			req = req.WithContext(context.WithValue(req.Context(), serveHTTPContextKey{}, &serveHTTPContext{
 				DestPort: port,
 			}))
 
@@ -428,7 +428,7 @@ func TestServeHTTPProxy(t *testing.T) {
 				URL: &url.URL{Path: "/"},
 				TLS: &tls.ConnectionState{ServerName: "example.ts.net"},
 			}
-			req = req.WithContext(serveHTTPContextKey.WithValue(req.Context(), &serveHTTPContext{
+			req = req.WithContext(context.WithValue(req.Context(), serveHTTPContextKey{}, &serveHTTPContext{
 				DestPort: 443,
 				SrcAddr:  netip.MustParseAddrPort(tt.srcIP + ":1234"), // random src port for tests
 			}))

ipn/ipnserver/server.go

@@ -251,12 +251,6 @@ func (s *Server) checkConnIdentityLocked(ci *ipnauth.ConnIdentity) error {
 				return err
 			}
 
-			// Always allow Windows SYSTEM user to connect,
-			// even if Tailscale is currently being used by another user.
-			if chkTok != nil && chkTok.IsLocalSystem() {
-				return nil
-			}
-
 			activeTok, err := active.WindowsToken()
 			if err == nil {
 				defer activeTok.Close()
@@ -407,10 +401,8 @@ func (s *Server) addActiveHTTPRequest(req *http.Request, ci *ipnauth.ConnIdentit
 			if !errors.Is(err, ipnauth.ErrNotImplemented) {
 				s.logf("error obtaining access token: %v", err)
 			}
-		} else if !token.IsLocalSystem() {
-			// Tell the LocalBackend about the identity we're now running as,
-			// unless its the SYSTEM user. That user is not a real account and
-			// doesn't have a home directory.
+		} else {
+			// Tell the LocalBackend about the identity we're now running as.
 			uid, err := lb.SetCurrentUser(token)
 			if err != nil {
 				token.Close()

licenses/android.md

@@ -50,9 +50,9 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/jmespath/go-jmespath](https://pkg.go.dev/github.com/jmespath/go-jmespath) ([Apache-2.0](https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE))
  - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
  - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.5/LICENSE.md))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.4/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.4/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.4/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.0/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.0/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.0/zstd/internal/xxhash/LICENSE.txt))
  - [github.com/kortschak/wol](https://pkg.go.dev/github.com/kortschak/wol) ([BSD-3-Clause](https://github.com/kortschak/wol/blob/da482cc4850a/LICENSE))
  - [github.com/mdlayher/genetlink](https://pkg.go.dev/github.com/mdlayher/genetlink) ([MIT](https://github.com/mdlayher/genetlink/blob/v1.3.2/LICENSE.md))
  - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.2/LICENSE.md))
@@ -64,12 +64,12 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/pkg/errors](https://pkg.go.dev/github.com/pkg/errors) ([BSD-2-Clause](https://github.com/pkg/errors/blob/v0.9.1/LICENSE))
  - [github.com/safchain/ethtool](https://pkg.go.dev/github.com/safchain/ethtool) ([Apache-2.0](https://github.com/safchain/ethtool/blob/v0.3.0/LICENSE))
  - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
- - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/7ce1f622c780/LICENSE))
+ - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/f0b76a10a08e/LICENSE))
  - [github.com/tailscale/goupnp](https://pkg.go.dev/github.com/tailscale/goupnp) ([BSD-2-Clause](https://github.com/tailscale/goupnp/blob/c64d0f06ea05/LICENSE))
  - [github.com/tailscale/hujson](https://pkg.go.dev/github.com/tailscale/hujson) ([BSD-3-Clause](https://github.com/tailscale/hujson/blob/20486734a56a/LICENSE))
  - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
  - [github.com/tailscale/tailscale-android](https://pkg.go.dev/github.com/tailscale/tailscale-android) ([BSD-3-Clause](https://github.com/tailscale/tailscale-android/blob/HEAD/LICENSE))
- - [github.com/tailscale/web-client-prebuilt](https://pkg.go.dev/github.com/tailscale/web-client-prebuilt) ([BSD-3-Clause](https://github.com/tailscale/web-client-prebuilt/blob/26bf65339dda/LICENSE))
+ - [github.com/tailscale/web-client-prebuilt](https://pkg.go.dev/github.com/tailscale/web-client-prebuilt) ([BSD-3-Clause](https://github.com/tailscale/web-client-prebuilt/blob/9b3142ca6f79/LICENSE))
  - [github.com/tailscale/wireguard-go](https://pkg.go.dev/github.com/tailscale/wireguard-go) ([MIT](https://github.com/tailscale/wireguard-go/blob/cc193a0b3272/LICENSE))
  - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
  - [github.com/u-root/uio](https://pkg.go.dev/github.com/u-root/uio) ([BSD-3-Clause](https://github.com/u-root/uio/blob/3e8cd9d6bf63/LICENSE))
@@ -80,14 +80,14 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
  - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
  - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/6213f710f925/LICENSE))
  - [go4.org/unsafe/assume-no-moving-gc](https://pkg.go.dev/go4.org/unsafe/assume-no-moving-gc) ([BSD-3-Clause](https://github.com/go4org/unsafe-assume-no-moving-gc/blob/e7c30c78aeb2/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/08396bb9:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.15.0:LICENSE))
  - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/92128663:LICENSE))
  - [golang.org/x/exp/shiny](https://pkg.go.dev/golang.org/x/exp/shiny) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/334a2380:shiny/LICENSE))
  - [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.12.0:LICENSE))
  - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.18.0:LICENSE))
  - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.5.0:LICENSE))
  - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.15.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.15.0:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.14.0:LICENSE))
  - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.14.0:LICENSE))
  - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE))
  - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/4fe30062272c/LICENSE))

licenses/apple.md

@@ -1,10 +1,10 @@
-# Tailscale for macOS/iOS/tvOS dependencies
+# Tailscale for macOS/iOS dependencies
 
-The following open source dependencies are used to build Tailscale on [macOS][], [iOS][] and [tvOS][].  See also the dependencies in the [Tailscale CLI][].
+The following open source dependencies are used to build Tailscale on [macOS][]
+and [iOS][].  See also the dependencies in the [Tailscale CLI][].
 
 [macOS]: https://tailscale.com/kb/1016/install-mac/
 [iOS]: https://tailscale.com/kb/1020/install-ios/
-[tvOS]: https://tailscale.com/kb/1280/appletv/
 [Tailscale CLI]: ./tailscale.md
 
 ## Go Packages
@@ -53,7 +53,7 @@ The following open source dependencies are used to build Tailscale on [macOS][],
  - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
  - [github.com/pierrec/lz4/v4](https://pkg.go.dev/github.com/pierrec/lz4/v4) ([BSD-3-Clause](https://github.com/pierrec/lz4/blob/v4.1.18/LICENSE))
  - [github.com/safchain/ethtool](https://pkg.go.dev/github.com/safchain/ethtool) ([Apache-2.0](https://github.com/safchain/ethtool/blob/v0.3.0/LICENSE))
- - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/7ce1f622c780/LICENSE))
+ - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/f0b76a10a08e/LICENSE))
  - [github.com/tailscale/goupnp](https://pkg.go.dev/github.com/tailscale/goupnp) ([BSD-2-Clause](https://github.com/tailscale/goupnp/blob/c64d0f06ea05/LICENSE))
  - [github.com/tailscale/hujson](https://pkg.go.dev/github.com/tailscale/hujson) ([BSD-3-Clause](https://github.com/tailscale/hujson/blob/20486734a56a/LICENSE))
  - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
@@ -65,12 +65,12 @@ The following open source dependencies are used to build Tailscale on [macOS][],
  - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
  - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
  - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/6213f710f925/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/08396bb9:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.15.0:LICENSE))
  - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/92128663:LICENSE))
  - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.18.0:LICENSE))
  - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.5.0:LICENSE))
  - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.15.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.15.0:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.14.0:LICENSE))
  - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.14.0:LICENSE))
  - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE))
  - [gvisor.dev/gvisor/pkg](https://pkg.go.dev/gvisor.dev/gvisor/pkg) ([Apache-2.0](https://github.com/google/gvisor/blob/4fe30062272c/LICENSE))

licenses/tailscale.md

@@ -74,10 +74,10 @@ Some packages may only be included on certain architectures or operating systems
  - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
  - [github.com/tailscale/certstore](https://pkg.go.dev/github.com/tailscale/certstore) ([MIT](https://github.com/tailscale/certstore/blob/d3fa0460f47e/LICENSE.md))
  - [github.com/tailscale/go-winio](https://pkg.go.dev/github.com/tailscale/go-winio) ([MIT](https://github.com/tailscale/go-winio/blob/c4f33415bf55/LICENSE))
- - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/7ce1f622c780/LICENSE))
+ - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/f0b76a10a08e/LICENSE))
  - [github.com/tailscale/hujson](https://pkg.go.dev/github.com/tailscale/hujson) ([BSD-3-Clause](https://github.com/tailscale/hujson/blob/20486734a56a/LICENSE))
  - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
- - [github.com/tailscale/web-client-prebuilt](https://pkg.go.dev/github.com/tailscale/web-client-prebuilt) ([BSD-3-Clause](https://github.com/tailscale/web-client-prebuilt/blob/5ca22df9e6e7/LICENSE))
+ - [github.com/tailscale/web-client-prebuilt](https://pkg.go.dev/github.com/tailscale/web-client-prebuilt) ([BSD-3-Clause](https://github.com/tailscale/web-client-prebuilt/blob/a4fa669015b2/LICENSE))
  - [github.com/tailscale/wireguard-go](https://pkg.go.dev/github.com/tailscale/wireguard-go) ([MIT](https://github.com/tailscale/wireguard-go/blob/cc193a0b3272/LICENSE))
  - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
  - [github.com/toqueteos/webbrowser](https://pkg.go.dev/github.com/toqueteos/webbrowser) ([MIT](https://github.com/toqueteos/webbrowser/blob/v1.2.0/LICENSE.md))
@@ -88,13 +88,13 @@ Some packages may only be included on certain architectures or operating systems
  - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
  - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
  - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/6213f710f925/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/08396bb9:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.15.0:LICENSE))
  - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/92128663:LICENSE))
  - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.18.0:LICENSE))
  - [golang.org/x/oauth2](https://pkg.go.dev/golang.org/x/oauth2) ([BSD-3-Clause](https://cs.opensource.google/go/x/oauth2/+/v0.12.0:LICENSE))
  - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.5.0:LICENSE))
  - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.15.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.15.0:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.14.0:LICENSE))
  - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.14.0:LICENSE))
  - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/v0.3.0:LICENSE))
  - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=0fa3db229ce2))

licenses/windows.md

@@ -52,7 +52,7 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
  - [github.com/tailscale/go-winio](https://pkg.go.dev/github.com/tailscale/go-winio) ([MIT](https://github.com/tailscale/go-winio/blob/c4f33415bf55/LICENSE))
  - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
- - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/6a278000867c/LICENSE))
+ - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/95b7e17614b9/LICENSE))
  - [github.com/tailscale/win](https://pkg.go.dev/github.com/tailscale/win) ([BSD-3-Clause](https://github.com/tailscale/win/blob/d2e5cdeed6dc/LICENSE))
  - [github.com/tc-hib/winres](https://pkg.go.dev/github.com/tc-hib/winres) ([0BSD](https://github.com/tc-hib/winres/blob/v0.2.1/LICENSE))
  - [github.com/vishvananda/netlink/nl](https://pkg.go.dev/github.com/vishvananda/netlink/nl) ([Apache-2.0](https://github.com/vishvananda/netlink/blob/v1.2.1-beta.2/LICENSE))
@@ -60,14 +60,14 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
  - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
  - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
  - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/6213f710f925/LICENSE))
- - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/08396bb9:LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/v0.15.0:LICENSE))
  - [golang.org/x/exp/constraints](https://pkg.go.dev/golang.org/x/exp/constraints) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/92128663:LICENSE))
- - [golang.org/x/image/bmp](https://pkg.go.dev/golang.org/x/image/bmp) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.14.0:LICENSE))
+ - [golang.org/x/image/bmp](https://pkg.go.dev/golang.org/x/image/bmp) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/v0.12.0:LICENSE))
  - [golang.org/x/mod](https://pkg.go.dev/golang.org/x/mod) ([BSD-3-Clause](https://cs.opensource.google/go/x/mod/+/v0.14.0:LICENSE))
  - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/v0.18.0:LICENSE))
  - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/v0.5.0:LICENSE))
  - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/v0.15.0:LICENSE))
- - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.15.0:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/v0.14.0:LICENSE))
  - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/v0.14.0:LICENSE))
  - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=0fa3db229ce2))
  - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.5.3))

net/netmon/netmon.go

@@ -478,28 +478,6 @@ func (m *Monitor) IsMajorChangeFrom(s1, s2 *interfaces.State) bool {
 			return true
 		}
 	}
-	// Iterate over s2 in case there is a field in s2 that doesn't exist in s1
-	for iname, i := range s2.Interface {
-		if iname == m.tsIfName {
-			// Ignore changes in the Tailscale interface itself.
-			continue
-		}
-		ips := s2.InterfaceIPs[iname]
-		if !m.isInterestingInterface(i, ips) {
-			continue
-		}
-		i1, ok := s1.Interface[iname]
-		if !ok {
-			return true
-		}
-		ips1, ok := s1.InterfaceIPs[iname]
-		if !ok {
-			return true
-		}
-		if !i.Equal(i1) || !prefixesMajorEqual(ips, ips1) {
-			return true
-		}
-	}
 	return false
 }
 

net/portmapper/upnp.go

@@ -252,8 +252,7 @@ func getUPnPRootDevice(ctx context.Context, logf logger.Logf, debug DebugKnobs,
 }
 
 // selectBestService picks the "best" service from the given UPnP root device
-// to use to create a port mapping. It may return (nil, nil) if no supported
-// service was found in the provided *goupnp.RootDevice.
+// to use to create a port mapping.
 //
 // loc is the parsed location that was used to fetch the given RootDevice.
 //
@@ -560,20 +559,6 @@ func (c *Client) tryUPnPPortmapWithDevice(
 		return netip.AddrPort{}, nil, err
 	}
 
-	// If we have no client, we cannot continue; this can happen if we get
-	// a valid UPnP response that does not contain any of the service types
-	// that we know how to use.
-	if client == nil {
-		// For debugging, print all available services that we aren't
-		// using because they're not supported; use c.vlogf so we don't
-		// spam the logs unless verbose debugging is turned on.
-		rootDev.Device.VisitServices(func(s *goupnp.Service) {
-			c.vlogf("unsupported UPnP service: Type=%q ID=%q ControlURL=%q", s.ServiceType, s.ServiceId, s.ControlURL.Str)
-		})
-
-		return netip.AddrPort{}, nil, fmt.Errorf("no supported UPnP clients")
-	}
-
 	// Start by trying to make a temporary lease with a duration.
 	var newPort uint16
 	newPort, err = addAnyPortMapping(

net/portmapper/upnp_test.go

@@ -165,172 +165,6 @@ const (
   </device>
   <disabledForTestURLBase>http://10.0.0.1:2828</disabledForTestURLBase>
 </root>
-`
-
-	// Huawei, https://github.com/tailscale/tailscale/issues/10911
-	huaweiRootDescXML = `<?xml version="1.0"?>
-<root xmlns="urn:schemas-upnp-org:device-1-0">
-  <specVersion>
-    <major>1</major>
-    <minor>0</minor>
-  </specVersion>
-  <device>
-    <deviceType>urn:dslforum-org:device:InternetGatewayDevice:1</deviceType>
-    <friendlyName>HG531 V1</friendlyName>
-    <manufacturer>Huawei Technologies Co., Ltd.</manufacturer>
-    <manufacturerURL>http://www.huawei.com</manufacturerURL>
-    <modelDescription>Huawei Home Gateway</modelDescription>
-    <modelName>HG531 V1</modelName>
-    <modelNumber>Huawei Model</modelNumber>
-    <modelURL>http://www.huawei.com</modelURL>
-    <serialNumber>G6J8W15326003974</serialNumber>
-    <UDN>uuid:00e0fc37-2626-2828-2600-587f668bdd9a</UDN>
-    <UPC>000000000001</UPC>
-    <serviceList>
-      <service>
-        <serviceType>urn:www-huawei-com:service:DeviceConfig:1</serviceType>
-        <serviceId>urn:www-huawei-com:serviceId:DeviceConfig1</serviceId>
-        <SCPDURL>/desc/DevCfg.xml</SCPDURL>
-        <controlURL>/ctrlt/DeviceConfig_1</controlURL>
-        <eventSubURL>/evt/DeviceConfig_1</eventSubURL>
-      </service>
-      <service>
-        <serviceType>urn:dslforum-org:service:LANConfigSecurity:1</serviceType>
-        <serviceId>urn:dslforum-org:serviceId:LANConfigSecurity1</serviceId>
-        <SCPDURL>/desc/LANSec.xml</SCPDURL>
-        <controlURL>/ctrlt/LANConfigSecurity_1</controlURL>
-        <eventSubURL>/evt/LANConfigSecurity_1</eventSubURL>
-      </service>
-      <service>
-        <serviceType>urn:dslforum-org:service:Layer3Forwarding:1</serviceType>
-        <serviceId>urn:dslforum-org:serviceId:Layer3Forwarding1</serviceId>
-        <SCPDURL>/desc/L3Fwd.xml</SCPDURL>
-        <controlURL>/ctrlt/Layer3Forwarding_1</controlURL>
-        <eventSubURL>/evt/Layer3Forwarding_1</eventSubURL>
-      </service>
-    </serviceList>
-    <deviceList>
-      <device>
-        <deviceType>urn:dslforum-org:device:WANDevice:1</deviceType>
-        <friendlyName>WANDevice</friendlyName>
-        <manufacturer>Huawei Technologies Co., Ltd.</manufacturer>
-        <manufacturerURL>http://www.huawei.com</manufacturerURL>
-        <modelDescription>Huawei Home Gateway</modelDescription>
-        <modelName>HG531 V1</modelName>
-        <modelNumber>Huawei Model</modelNumber>
-        <modelURL>http://www.huawei.com</modelURL>
-        <serialNumber>G6J8W15326003974</serialNumber>
-        <UDN>uuid:00e0fc37-2626-2828-2601-587f668bdd9a</UDN>
-        <UPC>000000000001</UPC>
-        <serviceList>
-          <service>
-            <serviceType>urn:dslforum-org:service:WANDSLInterfaceConfig:1</serviceType>
-            <serviceId>urn:dslforum-org:serviceId:WANDSLInterfaceConfig1</serviceId>
-            <SCPDURL>/desc/WanDslIfCfg.xml</SCPDURL>
-            <controlURL>/ctrlt/WANDSLInterfaceConfig_1</controlURL>
-            <eventSubURL>/evt/WANDSLInterfaceConfig_1</eventSubURL>
-          </service>
-          <service>
-            <serviceType>urn:dslforum-org:service:WANCommonInterfaceConfig:1</serviceType>
-            <serviceId>urn:dslforum-org:serviceId:WANCommonInterfaceConfig1</serviceId>
-            <SCPDURL>/desc/WanCommonIfc1.xml</SCPDURL>
-            <controlURL>/ctrlt/WANCommonInterfaceConfig_1</controlURL>
-            <eventSubURL>/evt/WANCommonInterfaceConfig_1</eventSubURL>
-          </service>
-        </serviceList>
-        <deviceList>
-          <device>
-            <deviceType>urn:dslforum-org:device:WANConnectionDevice:1</deviceType>
-            <friendlyName>WANConnectionDevice</friendlyName>
-            <manufacturer>Huawei Technologies Co., Ltd.</manufacturer>
-            <manufacturerURL>http://www.huawei.com</manufacturerURL>
-            <modelDescription>Huawei Home Gateway</modelDescription>
-            <modelName>HG531 V1</modelName>
-            <modelNumber>Huawei Model</modelNumber>
-            <modelURL>http://www.huawei.com</modelURL>
-            <serialNumber>G6J8W15326003974</serialNumber>
-            <UDN>uuid:00e0fc37-2626-2828-2603-587f668bdd9a</UDN>
-            <UPC>000000000001</UPC>
-            <serviceList>
-              <service>
-                <serviceType>urn:dslforum-org:service:WANPPPConnection:1</serviceType>
-                <serviceId>urn:dslforum-org:serviceId:WANPPPConnection1</serviceId>
-                <SCPDURL>/desc/WanPppConn.xml</SCPDURL>
-                <controlURL>/ctrlt/WANPPPConnection_1</controlURL>
-                <eventSubURL>/evt/WANPPPConnection_1</eventSubURL>
-              </service>
-              <service>
-                <serviceType>urn:dslforum-org:service:WANEthernetConnectionManagement:1</serviceType>
-                <serviceId>urn:dslforum-org:serviceId:WANEthernetConnectionManagement1</serviceId>
-                <SCPDURL>/desc/WanEthConnMgt.xml</SCPDURL>
-                <controlURL>/ctrlt/WANEthernetConnectionManagement_1</controlURL>
-                <eventSubURL>/evt/WANEthernetConnectionManagement_1</eventSubURL>
-              </service>
-              <service>
-                <serviceType>urn:dslforum-org:service:WANDSLLinkConfig:1</serviceType>
-                <serviceId>urn:dslforum-org:serviceId:WANDSLLinkConfig1</serviceId>
-                <SCPDURL>/desc/WanDslLink.xml</SCPDURL>
-                <controlURL>/ctrlt/WANDSLLinkConfig_1</controlURL>
-                <eventSubURL>/evt/WANDSLLinkConfig_1</eventSubURL>
-              </service>
-            </serviceList>
-          </device>
-        </deviceList>
-      </device>
-      <device>
-        <deviceType>urn:dslforum-org:device:LANDevice:1</deviceType>
-        <friendlyName>LANDevice</friendlyName>
-        <manufacturer>Huawei Technologies Co., Ltd.</manufacturer>
-        <manufacturerURL>http://www.huawei.com</manufacturerURL>
-        <modelDescription>Huawei Home Gateway</modelDescription>
-        <modelName>HG531 V1</modelName>
-        <modelNumber>Huawei Model</modelNumber>
-        <modelURL>http://www.huawei.com</modelURL>
-        <serialNumber>G6J8W15326003974</serialNumber>
-        <UDN>uuid:00e0fc37-2626-2828-2602-587f668bdd9a</UDN>
-        <UPC>000000000001</UPC>
-        <serviceList>
-          <service>
-            <serviceType>urn:dslforum-org:service:WLANConfiguration:1</serviceType>
-            <serviceId>urn:dslforum-org:serviceId:WLANConfiguration4</serviceId>
-            <SCPDURL>/desc/WLANCfg.xml</SCPDURL>
-            <controlURL>/ctrlt/WLANConfiguration_4</controlURL>
-            <eventSubURL>/evt/WLANConfiguration_4</eventSubURL>
-          </service>
-          <service>
-            <serviceType>urn:dslforum-org:service:WLANConfiguration:1</serviceType>
-            <serviceId>urn:dslforum-org:serviceId:WLANConfiguration3</serviceId>
-            <SCPDURL>/desc/WLANCfg.xml</SCPDURL>
-            <controlURL>/ctrlt/WLANConfiguration_3</controlURL>
-            <eventSubURL>/evt/WLANConfiguration_3</eventSubURL>
-          </service>
-          <service>
-            <serviceType>urn:dslforum-org:service:WLANConfiguration:1</serviceType>
-            <serviceId>urn:dslforum-org:serviceId:WLANConfiguration2</serviceId>
-            <SCPDURL>/desc/WLANCfg.xml</SCPDURL>
-            <controlURL>/ctrlt/WLANConfiguration_2</controlURL>
-            <eventSubURL>/evt/WLANConfiguration_2</eventSubURL>
-          </service>
-          <service>
-            <serviceType>urn:dslforum-org:service:WLANConfiguration:1</serviceType>
-            <serviceId>urn:dslforum-org:serviceId:WLANConfiguration1</serviceId>
-            <SCPDURL>/desc/WLANCfg.xml</SCPDURL>
-            <controlURL>/ctrlt/WLANConfiguration_1</controlURL>
-            <eventSubURL>/evt/WLANConfiguration_1</eventSubURL>
-          </service>
-          <service>
-            <serviceType>urn:dslforum-org:service:LANHostConfigManagement:1</serviceType>
-            <serviceId>urn:dslforum-org:serviceId:LANHostConfigManagement1</serviceId>
-            <SCPDURL>/desc/LanHostCfgMgmt.xml</SCPDURL>
-            <controlURL>/ctrlt/LANHostConfigManagement_1</controlURL>
-            <eventSubURL>/evt/LANHostConfigManagement_1</eventSubURL>
-          </service>
-        </serviceList>
-      </device>
-    </deviceList>
-    <presentationURL>http://127.0.0.1</presentationURL>
-  </device>
-</root>
 `
 )
 
@@ -399,14 +233,6 @@ func TestGetUPnPClient(t *testing.T) {
 			"*internetgateway2.WANIPConnection1",
 			"saw UPnP type WANIPConnection1 at http://127.0.0.1:NNN/rootDesc.xml; MikroTik Router (MikroTik), method=none\n",
 		},
-		{
-			"huawei",
-			huaweiRootDescXML,
-			// services not supported and thus returns nil, but shouldn't crash
-			"<nil>",
-			"",
-		},
-
 		// TODO(bradfitz): find a PPP one in the wild
 	}
 	for _, tt := range tests {
@@ -549,48 +375,6 @@ func TestGetUPnPPortMapping(t *testing.T) {
 	}
 }
 
-// TestGetUPnPPortMapping_NoValidServices tests that getUPnPPortMapping doesn't
-// crash when a valid UPnP response with no supported services is discovered
-// and parsed.
-//
-// See https://github.com/tailscale/tailscale/issues/10911
-func TestGetUPnPPortMapping_NoValidServices(t *testing.T) {
-	igd, err := NewTestIGD(t.Logf, TestIGDOptions{UPnP: true})
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer igd.Close()
-
-	igd.SetUPnPHandler(&upnpServer{
-		t:    t,
-		Desc: huaweiRootDescXML,
-	})
-
-	c := newTestClient(t, igd)
-	defer c.Close()
-	c.debug.VerboseLogs = true
-
-	ctx := context.Background()
-	res, err := c.Probe(ctx)
-	if err != nil {
-		t.Fatalf("Probe: %v", err)
-	}
-	if !res.UPnP {
-		t.Errorf("didn't detect UPnP")
-	}
-
-	gw, myIP, ok := c.gatewayAndSelfIP()
-	if !ok {
-		t.Fatalf("could not get gateway and self IP")
-	}
-
-	// This shouldn't panic
-	_, ok = c.getUPnPPortMapping(ctx, gw, netip.AddrPortFrom(myIP, 12345), 0)
-	if ok {
-		t.Fatal("did not expect to get UPnP port mapping")
-	}
-}
-
 func TestGetUPnPPortMappingNoResponses(t *testing.T) {
 	igd, err := NewTestIGD(t.Logf, TestIGDOptions{UPnP: true})
 	if err != nil {

safesocket/safesocket_darwin.go

@@ -16,8 +16,6 @@ import (
 	"strings"
 	"sync"
 	"time"
-
-	"tailscale.com/version"
 )
 
 func init() {
@@ -74,7 +72,7 @@ func localTCPPortAndTokenDarwin() (port int, token string, err error) {
 
 	if dir := os.Getenv("TS_MACOS_CLI_SHARED_DIR"); dir != "" {
 		// First see if we're running as the non-AppStore "macsys" variant.
-		if version.IsMacSysExt() {
+		if strings.Contains(os.Getenv("HOME"), "/Containers/io.tailscale.ipn.macsys/") {
 			if port, token, err := localTCPPortAndTokenMacsys(); err == nil {
 				return port, token, nil
 			}

shell.nix

@@ -16,4 +16,4 @@
 ) {
   src =  ./.;
 }).shellNix
-# nix-direnv cache busting line: sha256-BK1zugKGtx2RpWHDvFZaFqz/YdoewsG8SscGt25uwtQ=
+# nix-direnv cache busting line: sha256-uMVRdgO/HTs0CKqWPUFEL/rFvzio1vblTUaz5Cgi+5Q=

tailcfg/tailcfg.go

@@ -1341,9 +1341,6 @@ const (
 	PeerCapabilityWakeOnLAN PeerCapability = "https://tailscale.com/cap/wake-on-lan"
 	// PeerCapabilityIngress grants the ability for a peer to send ingress traffic.
 	PeerCapabilityIngress PeerCapability = "https://tailscale.com/cap/ingress"
-	// PeerCapabilityWebUI grants the ability for a peer to edit features from the
-	// device Web UI.
-	PeerCapabilityWebUI PeerCapability = "tailscale.com/cap/webui"
 )
 
 // NodeCapMap is a map of capabilities to their optional values. It is valid for

tstime/rate/value.go

@@ -4,7 +4,6 @@
 package rate
 
 import (
-	"encoding/json"
 	"fmt"
 	"math"
 	"sync"
@@ -182,41 +181,3 @@ func (r *Value) rateNow(now mono.Time) float64 {
 func (r *Value) normalizedIntegral() float64 {
 	return r.halfLife() / math.Ln2
 }
-
-type jsonValue struct {
-	// TODO: Use v2 "encoding/json" for native time.Duration formatting.
-	HalfLife string    `json:"halfLife,omitempty,omitzero"`
-	Value    float64   `json:"value,omitempty,omitzero"`
-	Updated  mono.Time `json:"updated,omitempty,omitzero"`
-}
-
-func (r *Value) MarshalJSON() ([]byte, error) {
-	if r == nil {
-		return []byte("null"), nil
-	}
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	v := jsonValue{Value: r.value, Updated: r.updated}
-	if r.HalfLife > 0 {
-		v.HalfLife = r.HalfLife.String()
-	}
-	return json.Marshal(v)
-}
-
-func (r *Value) UnmarshalJSON(b []byte) error {
-	var v jsonValue
-	if err := json.Unmarshal(b, &v); err != nil {
-		return err
-	}
-	halfLife, err := time.ParseDuration(v.HalfLife)
-	if err != nil && v.HalfLife != "" {
-		return fmt.Errorf("invalid halfLife: %w", err)
-	}
-
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	r.HalfLife = halfLife
-	r.value = v.Value
-	r.updated = v.Updated
-	return nil
-}

tstime/rate/value_test.go

@@ -6,14 +6,12 @@ package rate
 import (
 	"flag"
 	"math"
-	"reflect"
 	"testing"
 	"time"
 
 	qt "github.com/frankban/quicktest"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"tailscale.com/tstime/mono"
-	"tailscale.com/util/must"
 )
 
 const (
@@ -236,26 +234,3 @@ func BenchmarkValue(b *testing.B) {
 		v.Add(1)
 	}
 }
-
-func TestValueMarshal(t *testing.T) {
-	now := mono.Now()
-	tests := []struct {
-		val *Value
-		str string
-	}{
-		{val: &Value{}, str: `{}`},
-		{val: &Value{HalfLife: 5 * time.Minute}, str: `{"halfLife":"` + (5 * time.Minute).String() + `"}`},
-		{val: &Value{value: 12345, updated: now}, str: `{"value":12345,"updated":` + string(must.Get(now.MarshalJSON())) + `}`},
-	}
-	for _, tt := range tests {
-		str := string(must.Get(tt.val.MarshalJSON()))
-		if str != tt.str {
-			t.Errorf("string mismatch: got %v, want %v", str, tt.str)
-		}
-		var val Value
-		must.Do(val.UnmarshalJSON([]byte(str)))
-		if !reflect.DeepEqual(&val, tt.val) {
-			t.Errorf("value mismatch: %+v, want %+v", &val, tt.val)
-		}
-	}
-}

tsweb/request_id.go

@@ -8,7 +8,6 @@ import (
 	"net/http"
 
 	"github.com/google/uuid"
-	"tailscale.com/util/ctxkey"
 )
 
 // RequestID is an opaque identifier for a HTTP request, used to correlate
@@ -25,9 +24,6 @@ import (
 // opaque string. The current implementation uses a UUID.
 type RequestID string
 
-// RequestIDKey stores and loads [RequestID] values within a [context.Context].
-var RequestIDKey ctxkey.Key[RequestID]
-
 // RequestIDHeader is a custom HTTP header that the WithRequestID middleware
 // uses to determine whether to re-use a given request ID from the client
 // or generate a new one.
@@ -46,16 +42,22 @@ func SetRequestID(h http.Handler) http.Handler {
 			// transitions if needed.
 			id = "REQ-1" + uuid.NewString()
 		}
-		ctx := RequestIDKey.WithValue(r.Context(), RequestID(id))
+		ctx := withRequestID(r.Context(), RequestID(id))
 		r = r.WithContext(ctx)
 		h.ServeHTTP(w, r)
 	})
 }
 
+type requestIDKey struct{}
+
 // RequestIDFromContext retrieves the RequestID from context that can be set by
 // the SetRequestID function.
-//
-// Deprecated: Use [RequestIDKey.Value] instead.
 func RequestIDFromContext(ctx context.Context) RequestID {
-	return RequestIDKey.Value(ctx)
+	val, _ := ctx.Value(requestIDKey{}).(RequestID)
+	return val
+}
+
+// withRequestID sets the given request id value in the given context.
+func withRequestID(ctx context.Context, rid RequestID) context.Context {
+	return context.WithValue(ctx, requestIDKey{}, rid)
 }

tsweb/tsweb_test.go

@@ -166,7 +166,7 @@ func TestStdHandler(t *testing.T) {
 		{
 			name:     "handler returns 404 via HTTPError with request ID",
 			rh:       handlerErr(0, Error(404, "not found", testErr)),
-			r:        req(RequestIDKey.WithValue(bgCtx, exampleRequestID), "http://example.com/foo"),
+			r:        req(withRequestID(bgCtx, exampleRequestID), "http://example.com/foo"),
 			wantCode: 404,
 			wantLog: AccessLogRecord{
 				When:       startTime,
@@ -203,7 +203,7 @@ func TestStdHandler(t *testing.T) {
 		{
 			name:     "handler returns 404 with request ID and nil child error",
 			rh:       handlerErr(0, Error(404, "not found", nil)),
-			r:        req(RequestIDKey.WithValue(bgCtx, exampleRequestID), "http://example.com/foo"),
+			r:        req(withRequestID(bgCtx, exampleRequestID), "http://example.com/foo"),
 			wantCode: 404,
 			wantLog: AccessLogRecord{
 				When:       startTime,
@@ -240,7 +240,7 @@ func TestStdHandler(t *testing.T) {
 		{
 			name:     "handler returns user-visible error with request ID",
 			rh:       handlerErr(0, vizerror.New("visible error")),
-			r:        req(RequestIDKey.WithValue(bgCtx, exampleRequestID), "http://example.com/foo"),
+			r:        req(withRequestID(bgCtx, exampleRequestID), "http://example.com/foo"),
 			wantCode: 500,
 			wantLog: AccessLogRecord{
 				When:       startTime,
@@ -277,7 +277,7 @@ func TestStdHandler(t *testing.T) {
 		{
 			name:     "handler returns user-visible error wrapped by private error with request ID",
 			rh:       handlerErr(0, fmt.Errorf("private internal error: %w", vizerror.New("visible error"))),
-			r:        req(RequestIDKey.WithValue(bgCtx, exampleRequestID), "http://example.com/foo"),
+			r:        req(withRequestID(bgCtx, exampleRequestID), "http://example.com/foo"),
 			wantCode: 500,
 			wantLog: AccessLogRecord{
 				When:       startTime,
@@ -314,7 +314,7 @@ func TestStdHandler(t *testing.T) {
 		{
 			name:     "handler returns generic error with request ID",
 			rh:       handlerErr(0, testErr),
-			r:        req(RequestIDKey.WithValue(bgCtx, exampleRequestID), "http://example.com/foo"),
+			r:        req(withRequestID(bgCtx, exampleRequestID), "http://example.com/foo"),
 			wantCode: 500,
 			wantLog: AccessLogRecord{
 				When:       startTime,
@@ -350,7 +350,7 @@ func TestStdHandler(t *testing.T) {
 		{
 			name:     "handler returns error after writing response with request ID",
 			rh:       handlerErr(200, testErr),
-			r:        req(RequestIDKey.WithValue(bgCtx, exampleRequestID), "http://example.com/foo"),
+			r:        req(withRequestID(bgCtx, exampleRequestID), "http://example.com/foo"),
 			wantCode: 200,
 			wantLog: AccessLogRecord{
 				When:       startTime,
@@ -446,7 +446,7 @@ func TestStdHandler(t *testing.T) {
 		{
 			name:     "error handler gets run with request ID",
 			rh:       handlerErr(0, Error(404, "not found", nil)), // status code changed in errHandler
-			r:        req(RequestIDKey.WithValue(bgCtx, exampleRequestID), "http://example.com/"),
+			r:        req(withRequestID(bgCtx, exampleRequestID), "http://example.com/"),
 			wantCode: 200,
 			errHandler: func(w http.ResponseWriter, r *http.Request, e HTTPError) {
 				requestID := RequestIDFromContext(r.Context())

types/appctype/appconnector.go

@@ -66,8 +66,6 @@ type AppConnectorAttr struct {
 	// Domains enumerates the domains serviced by the specified app connectors.
 	// Domains can be of the form: example.com, or *.example.com.
 	Domains []string `json:"domains,omitempty"`
-	// Routes enumerates the predetermined routes to be advertised by the specified app connectors.
-	Routes []netip.Prefix `json:"routes,omitempty"`
 	// Connectors enumerates the app connectors which service these domains.
 	// These can either be "*" to match any advertising connector, or a
 	// tag of the form tag:<tag-name>.

types/logger/logger.go

@@ -21,7 +21,6 @@ import (
 	"context"
 
 	"tailscale.com/envknob"
-	"tailscale.com/util/ctxkey"
 )
 
 // Logf is the basic Tailscale logger type: a printf-like func.
@@ -29,16 +28,13 @@ import (
 // Logf functions must be safe for concurrent use.
 type Logf func(format string, args ...any)
 
-// LogfKey stores and loads [Logf] values within a [context.Context].
-var LogfKey = ctxkey.New("", Logf(log.Printf))
-
 // A Context is a context.Context that should contain a custom log function, obtainable from FromContext.
 // If no log function is present, FromContext will return log.Printf.
 // To construct a Context, use Add
-//
-// Deprecated: Do not use.
 type Context context.Context
 
+type logfKey struct{}
+
 // jenc is a json.Encode + bytes.Buffer pair wired up to be reused in a pool.
 type jenc struct {
 	buf bytes.Buffer
@@ -83,17 +79,17 @@ func (logf Logf) JSON(level int, recType string, v any) {
 }
 
 // FromContext extracts a log function from ctx.
-//
-// Deprecated: Use [LogfKey.Value] instead.
 func FromContext(ctx Context) Logf {
-	return LogfKey.Value(ctx)
+	v := ctx.Value(logfKey{})
+	if v == nil {
+		return log.Printf
+	}
+	return v.(Logf)
 }
 
 // Ctx constructs a Context from ctx with fn as its custom log function.
-//
-// Deprecated: Use [LogfKey.WithValue] instead.
 func Ctx(ctx context.Context, fn Logf) Context {
-	return LogfKey.WithValue(ctx, fn)
+	return context.WithValue(ctx, logfKey{}, fn)
 }
 
 // WithPrefix wraps f, prefixing each format with the provided prefix.

util/ctxkey/key.go

@@ -1,140 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// ctxkey provides type-safe key-value pairs for use with [context.Context].
-//
-// Example usage:
-//
-//	// Create a context key.
-//	var TimeoutKey = ctxkey.New("mapreduce.Timeout", 5*time.Second)
-//
-//	// Store a context value.
-//	ctx = mapreduce.TimeoutKey.WithValue(ctx, 10*time.Second)
-//
-//	// Load a context value.
-//	timeout := mapreduce.TimeoutKey.Value(ctx)
-//	... // use timeout of type time.Duration
-//
-// This is inspired by https://go.dev/issue/49189.
-package ctxkey
-
-import (
-	"context"
-	"fmt"
-	"reflect"
-)
-
-// TODO(https://go.dev/issue/60088): Use reflect.TypeFor instead.
-func reflectTypeFor[T any]() reflect.Type {
-	return reflect.TypeOf((*T)(nil)).Elem()
-}
-
-// Key is a generic key type associated with a specific value type.
-//
-// A zero Key is valid where the Value type itself is used as the context key.
-// This pattern should only be used with locally declared Go types,
-// otherwise different packages risk producing key conflicts.
-//
-// Example usage:
-//
-//	type peerInfo struct { ... }           // peerInfo is a locally declared type
-//	var peerInfoKey ctxkey.Key[peerInfo]
-//	ctx = peerInfoKey.WithValue(ctx, info) // store a context value
-//	info = peerInfoKey.Value(ctx)          // load a context value
-type Key[Value any] struct {
-	name   *stringer[string]
-	defVal *Value
-}
-
-// New constructs a new context key with an associated value type
-// where the default value for an unpopulated value is the provided value.
-//
-// The provided name is an arbitrary name only used for human debugging.
-// As a convention, it is recommended that the name be the dot-delimited
-// combination of the package name of the caller with the variable name.
-// If the name is not provided, then the name of the Value type is used.
-// Every key is unique, even if provided the same name.
-//
-// Example usage:
-//
-//	package mapreduce
-//	var NumWorkersKey = ctxkey.New("mapreduce.NumWorkers", runtime.NumCPU())
-func New[Value any](name string, defaultValue Value) Key[Value] {
-	// Allocate a new stringer to ensure that every invocation of New
-	// creates a universally unique context key even for the same name
-	// since newly allocated pointers are globally unique within a process.
-	key := Key[Value]{name: new(stringer[string])}
-	if name == "" {
-		name = reflectTypeFor[Value]().String()
-	}
-	key.name.v = name
-	if v := reflect.ValueOf(defaultValue); v.IsValid() && !v.IsZero() {
-		key.defVal = &defaultValue
-	}
-	return key
-}
-
-// contextKey returns the context key to use.
-func (key Key[Value]) contextKey() any {
-	if key.name == nil {
-		// Use the reflect.Type of the Value (implies key not created by New).
-		return reflectTypeFor[Value]()
-	} else {
-		// Use the name pointer directly (implies key created by New).
-		return key.name
-	}
-}
-
-// WithValue returns a copy of parent in which the value associated with key is val.
-//
-// It is a type-safe equivalent of [context.WithValue].
-func (key Key[Value]) WithValue(parent context.Context, val Value) context.Context {
-	return context.WithValue(parent, key.contextKey(), stringer[Value]{val})
-}
-
-// ValueOk returns the value in the context associated with this key
-// and also reports whether it was present.
-// If the value is not present, it returns the default value.
-func (key Key[Value]) ValueOk(ctx context.Context) (v Value, ok bool) {
-	vv, ok := ctx.Value(key.contextKey()).(stringer[Value])
-	if !ok && key.defVal != nil {
-		vv.v = *key.defVal
-	}
-	return vv.v, ok
-}
-
-// Value returns the value in the context associated with this key.
-// If the value is not present, it returns the default value.
-func (key Key[Value]) Value(ctx context.Context) (v Value) {
-	v, _ = key.ValueOk(ctx)
-	return v
-}
-
-// Has reports whether the context has a value for this key.
-func (key Key[Value]) Has(ctx context.Context) (ok bool) {
-	_, ok = key.ValueOk(ctx)
-	return ok
-}
-
-// String returns the name of the key.
-func (key Key[Value]) String() string {
-	if key.name == nil {
-		return reflectTypeFor[Value]().String()
-	}
-	return key.name.String()
-}
-
-// stringer implements [fmt.Stringer] on a generic T.
-//
-// This assists in debugging such that printing a context prints key and value.
-// Note that the [context] package lacks a dependency on [reflect],
-// so it cannot print arbitrary values. By implementing [fmt.Stringer],
-// we functionally teach a context how to print itself.
-//
-// Wrapping values within a struct has an added bonus that interface kinds
-// are properly handled. Without wrapping, we would be unable to distinguish
-// between a nil value that was explicitly set or not.
-// However, the presence of a stringer indicates an explicit nil value.
-type stringer[T any] struct{ v T }
-
-func (v stringer[T]) String() string { return fmt.Sprint(v.v) }

util/ctxkey/key_test.go

@@ -1,104 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package ctxkey
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"regexp"
-	"testing"
-	"time"
-
-	qt "github.com/frankban/quicktest"
-)
-
-func TestKey(t *testing.T) {
-	c := qt.New(t)
-	ctx := context.Background()
-
-	// Test keys with the same name as being distinct.
-	k1 := New("same.Name", "")
-	c.Assert(k1.String(), qt.Equals, "same.Name")
-	k2 := New("same.Name", "")
-	c.Assert(k2.String(), qt.Equals, "same.Name")
-	c.Assert(k1 == k2, qt.Equals, false)
-	ctx = k1.WithValue(ctx, "hello")
-	c.Assert(k1.Has(ctx), qt.Equals, true)
-	c.Assert(k1.Value(ctx), qt.Equals, "hello")
-	c.Assert(k2.Has(ctx), qt.Equals, false)
-	c.Assert(k2.Value(ctx), qt.Equals, "")
-	ctx = k2.WithValue(ctx, "goodbye")
-	c.Assert(k1.Has(ctx), qt.Equals, true)
-	c.Assert(k1.Value(ctx), qt.Equals, "hello")
-	c.Assert(k2.Has(ctx), qt.Equals, true)
-	c.Assert(k2.Value(ctx), qt.Equals, "goodbye")
-
-	// Test default value.
-	k3 := New("mapreduce.Timeout", time.Hour)
-	c.Assert(k3.Has(ctx), qt.Equals, false)
-	c.Assert(k3.Value(ctx), qt.Equals, time.Hour)
-	ctx = k3.WithValue(ctx, time.Minute)
-	c.Assert(k3.Has(ctx), qt.Equals, true)
-	c.Assert(k3.Value(ctx), qt.Equals, time.Minute)
-
-	// Test incomparable value.
-	k4 := New("slice", []int(nil))
-	c.Assert(k4.Has(ctx), qt.Equals, false)
-	c.Assert(k4.Value(ctx), qt.DeepEquals, []int(nil))
-	ctx = k4.WithValue(ctx, []int{1, 2, 3})
-	c.Assert(k4.Has(ctx), qt.Equals, true)
-	c.Assert(k4.Value(ctx), qt.DeepEquals, []int{1, 2, 3})
-
-	// Accessors should be allocation free.
-	c.Assert(testing.AllocsPerRun(100, func() {
-		k1.Value(ctx)
-		k1.Has(ctx)
-		k1.ValueOk(ctx)
-	}), qt.Equals, 0.0)
-
-	// Test keys that are created without New.
-	var k5 Key[string]
-	c.Assert(k5.String(), qt.Equals, "string")
-	c.Assert(k1 == k5, qt.Equals, false) // should be different from key created by New
-	c.Assert(k5.Has(ctx), qt.Equals, false)
-	ctx = k5.WithValue(ctx, "fizz")
-	c.Assert(k5.Value(ctx), qt.Equals, "fizz")
-	var k6 Key[string]
-	c.Assert(k6.String(), qt.Equals, "string")
-	c.Assert(k5 == k6, qt.Equals, true)
-	c.Assert(k6.Has(ctx), qt.Equals, true)
-	ctx = k6.WithValue(ctx, "fizz")
-
-	// Test interface value types.
-	var k7 Key[any]
-	c.Assert(k7.Has(ctx), qt.Equals, false)
-	ctx = k7.WithValue(ctx, "whatever")
-	c.Assert(k7.Value(ctx), qt.DeepEquals, "whatever")
-	ctx = k7.WithValue(ctx, []int{1, 2, 3})
-	c.Assert(k7.Value(ctx), qt.DeepEquals, []int{1, 2, 3})
-	ctx = k7.WithValue(ctx, nil)
-	c.Assert(k7.Has(ctx), qt.Equals, true)
-	c.Assert(k7.Value(ctx), qt.DeepEquals, nil)
-	k8 := New[error]("error", io.EOF)
-	c.Assert(k8.Has(ctx), qt.Equals, false)
-	c.Assert(k8.Value(ctx), qt.Equals, io.EOF)
-	ctx = k8.WithValue(ctx, nil)
-	c.Assert(k8.Value(ctx), qt.Equals, nil)
-	c.Assert(k8.Has(ctx), qt.Equals, true)
-	err := fmt.Errorf("read error: %w", io.ErrUnexpectedEOF)
-	ctx = k8.WithValue(ctx, err)
-	c.Assert(k8.Value(ctx), qt.Equals, err)
-	c.Assert(k8.Has(ctx), qt.Equals, true)
-}
-
-func TestStringer(t *testing.T) {
-	t.SkipNow() // TODO(https://go.dev/cl/555697): Enable this after fix is merged upstream.
-	c := qt.New(t)
-	ctx := context.Background()
-	c.Assert(fmt.Sprint(New("foo.Bar", "").WithValue(ctx, "baz")), qt.Matches, regexp.MustCompile("foo.Bar.*baz"))
-	c.Assert(fmt.Sprint(New("", []int{}).WithValue(ctx, []int{1, 2, 3})), qt.Matches, regexp.MustCompile(fmt.Sprintf("%[1]T.*%[1]v", []int{1, 2, 3})))
-	c.Assert(fmt.Sprint(New("", 0).WithValue(ctx, 5)), qt.Matches, regexp.MustCompile("int.*5"))
-	c.Assert(fmt.Sprint(Key[time.Duration]{}.WithValue(ctx, time.Hour)), qt.Matches, regexp.MustCompile(fmt.Sprintf("%[1]T.*%[1]v", time.Hour)))
-}

util/execqueue/execqueue.go

@@ -1,104 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package execqueue implements an ordered asynchronous queue for executing functions.
-package execqueue
-
-import (
-	"context"
-	"errors"
-	"sync"
-)
-
-type ExecQueue struct {
-	mu         sync.Mutex
-	closed     bool
-	inFlight   bool          // whether a goroutine is running q.run
-	doneWaiter chan struct{} // non-nil if waiter is waiting, then closed
-	queue      []func()
-}
-
-func (q *ExecQueue) Add(f func()) {
-	q.mu.Lock()
-	defer q.mu.Unlock()
-	if q.closed {
-		return
-	}
-	if q.inFlight {
-		q.queue = append(q.queue, f)
-	} else {
-		q.inFlight = true
-		go q.run(f)
-	}
-}
-
-// RunSync waits for the queue to be drained and then synchronously runs f.
-// It returns an error if the queue is closed before f is run or ctx expires.
-func (q *ExecQueue) RunSync(ctx context.Context, f func()) error {
-	for {
-		if err := q.Wait(ctx); err != nil {
-			return err
-		}
-		q.mu.Lock()
-		if q.inFlight {
-			q.mu.Unlock()
-			continue
-		}
-		defer q.mu.Unlock()
-		if q.closed {
-			return errors.New("closed")
-		}
-		f()
-		return nil
-	}
-}
-
-func (q *ExecQueue) run(f func()) {
-	f()
-
-	q.mu.Lock()
-	for len(q.queue) > 0 && !q.closed {
-		f := q.queue[0]
-		q.queue[0] = nil
-		q.queue = q.queue[1:]
-		q.mu.Unlock()
-		f()
-		q.mu.Lock()
-	}
-	q.inFlight = false
-	q.queue = nil
-	if q.doneWaiter != nil {
-		close(q.doneWaiter)
-		q.doneWaiter = nil
-	}
-	q.mu.Unlock()
-}
-
-// Shutdown asynchronously signals the queue to stop.
-func (q *ExecQueue) Shutdown() {
-	q.mu.Lock()
-	defer q.mu.Unlock()
-	q.closed = true
-}
-
-// Wait waits for the queue to be empty.
-func (q *ExecQueue) Wait(ctx context.Context) error {
-	q.mu.Lock()
-	waitCh := q.doneWaiter
-	if q.inFlight && waitCh == nil {
-		waitCh = make(chan struct{})
-		q.doneWaiter = waitCh
-	}
-	q.mu.Unlock()
-
-	if waitCh == nil {
-		return nil
-	}
-
-	select {
-	case <-waitCh:
-		return nil
-	case <-ctx.Done():
-		return ctx.Err()
-	}
-}

util/execqueue/execqueue_test.go

@@ -1,22 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package execqueue
-
-import (
-	"context"
-	"sync/atomic"
-	"testing"
-)
-
-func TestExecQueue(t *testing.T) {
-	ctx := context.Background()
-	var n atomic.Int32
-	q := &ExecQueue{}
-	defer q.Shutdown()
-	q.Add(func() { n.Add(1) })
-	q.Wait(ctx)
-	if got := n.Load(); got != 1 {
-		t.Errorf("n=%d; want 1", got)
-	}
-}

version/mkversion/mkversion.go

@@ -199,13 +199,6 @@ func tailscaleModuleRef(modBs []byte) (string, error) {
 }
 
 func mkOutput(v verInfo) (VersionInfo, error) {
-	if override := os.Getenv("TS_VERSION_OVERRIDE"); override != "" {
-		var err error
-		v.major, v.minor, v.patch, err = parseVersion(override)
-		if err != nil {
-			return VersionInfo{}, fmt.Errorf("failed to parse TS_VERSION_OVERRIDE: %w", err)
-		}
-	}
 	var changeSuffix string
 	if v.minor%2 == 1 {
 		// Odd minor numbers are unstable builds.

wgengine/router/router_windows.go

@@ -12,7 +12,6 @@ import (
 	"net/netip"
 	"os"
 	"os/exec"
-	"path/filepath"
 	"slices"
 	"strings"
 	"sync"
@@ -156,13 +155,6 @@ type firewallTweaker struct {
 	// stop makes fwProc exit when closed.
 	fwProcWriter  io.WriteCloser
 	fwProcEncoder *json.Encoder
-
-	// The path to the 'netsh.exe' binary, populated during the first call
-	// to runFirewall.
-	//
-	// not protected by mu; netshPath is only mutated inside netshPathOnce
-	netshPathOnce sync.Once
-	netshPath     string
 }
 
 func (ft *firewallTweaker) clear() { ft.set(nil, nil, nil) }
@@ -193,43 +185,10 @@ func (ft *firewallTweaker) set(cidrs []string, routes, localRoutes []netip.Prefi
 	go ft.doAsyncSet()
 }
 
-// getNetshPath returns the path that should be used to execute netsh.
-//
-// We've seen a report from a customer that we're triggering the "cannot run
-// executable found relative to current directory" protection that was added to
-// prevent running possibly attacker-controlled binaries. To mitigate this,
-// first try looking up the path to netsh.exe in the System32 directory
-// explicitly, and then fall back to the prior behaviour of passing "netsh" to
-// os/exec.Command.
-func (ft *firewallTweaker) getNetshPath() string {
-	ft.netshPathOnce.Do(func() {
-		// The default value is the old approach: just run "netsh" and
-		// let os/exec resolve that into a full path.
-		ft.netshPath = "netsh"
-
-		path, err := windows.KnownFolderPath(windows.FOLDERID_System, 0)
-		if err != nil {
-			ft.logf("getNetshPath: error getting FOLDERID_System: %v", err)
-			return
-		}
-
-		expath := filepath.Join(path, "netsh.exe")
-		if _, err := os.Stat(expath); err == nil {
-			ft.netshPath = expath
-			return
-		} else if !os.IsNotExist(err) {
-			ft.logf("getNetshPath: error checking for existence of %q: %v", expath, err)
-		}
-
-		// Keep default
-	})
-	return ft.netshPath
-}
-
 func (ft *firewallTweaker) runFirewall(args ...string) (time.Duration, error) {
 	t0 := time.Now()
 	args = append([]string{"advfirewall", "firewall"}, args...)
-	cmd := exec.Command(ft.getNetshPath(), args...)
+	cmd := exec.Command("netsh", args...)
 	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
 	b, err := cmd.CombinedOutput()
 	if err != nil {

wgengine/router/router_windows_test.go

@@ -1,19 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package router
-
-import (
-	"path/filepath"
-	"testing"
-)
-
-func TestGetNetshPath(t *testing.T) {
-	ft := &firewallTweaker{
-		logf: t.Logf,
-	}
-	path := ft.getNetshPath()
-	if !filepath.IsAbs(path) {
-		t.Errorf("expected absolute path for netsh.exe: %q", path)
-	}
-}